PDA

View Full Version : remove Generic.Ransom.VxLock.E31AD1D6



Chris Haslam
2022-03-01, 20:56
How can I remove this virus?

SS&D ran this automatically today. It shows this virus. I clicked on Fix All selected.

I then ran SS&D again. This virus was still there.

...chris

Chris Haslam
2022-03-01, 21:28
How can I remove this virus?

SS&D ran this automatically today. It shows this virus. I clicked on Fix All selected.

I then ran SS&D again. This virus was still there.

...chris

I rebooted.

Ran SS&D again. E31AD1D6 had gone, but replaced by CB7B23BB

-----

My wife's PC has D995041C. She is rebooting.

...chris

Juliet
2022-03-03, 16:30
Hi
If what you say has been found on your computer, then there isn't much I can do to help out.

I've located an article about the infection you listed, the names of these infections change very often, as well as the extensions shown to indicate the infection.

https://www.enigmasoftware.com/vxlockransomware-removal/

also
https://www.bleepingcomputer.com/forums/t/608858/id-ransomware-identify-what-ransomware-encrypted-your-files/page-79


From here about all I can suggest is to try and attempt to run a couple of scans to find/identify whats on the machine.

~~~~~~~~~~~~~~~~~

Run Malwarebytes Anti-Malware

You may have Malwarebytes Anti-Malware installed but if not, you can download it from here (https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/):

run the program
click on the ‘Dashboard’ to make sure everything is up to date, (it is not necessary to upgrade to the premium version of MBAM)
click on the ‘Scan’ tab, (directly below the Dashboard tab)
select the Threat Scan option
slick the Scan Now button
Threat Scan will begin
when the scan has completed Look over the list of items found, if anything looks legit but has a bad file extension after it's name, uncheck for it to be removed and if malware was found, click the Quarantine Selected button to allow MBAM to quarantine what was found
if prompted to restart the computer, close all other programs and click Yes to restart your computer
once you are back at your desktop, open MBAM once more
click on the ‘Reports’ tab
double-click on the most recent Scan Report
click on Export, then Copy to Clipboard

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.
you can download AdwCleaner here: https://malwarebytes.com/adwcleaner

run AdwCleaner by clicking on Scan Now
when it has finished, Look over the list of items found, if anything looks legit but has a bad file extension after it's name, uncheck for it to be removed, leave everything that was found checked, (ticked), then click on Clean and Repair
if it asks to reboot, allow the reboot
on reboot, click on View Log File; please attach the content of the log to your next reply.


============================================


Please post these 2 logs when finished.

Chris Haslam
2022-03-06, 04:16
I downloaded and ran Anti-Malware.
I told me that the SHA-2 update was missing so I chose to download and run the legacy version.
The prompts differed from what you listed, e.g. no Dashboard, but I did do a Scan.

The report is below:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/5/22
Scan Time: 8:43 PM
Log File: c751fa40-9cee-11ec-9a80-74d02b282604.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1273
Update Package Version: 1.0.51929
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Molly\Chris

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 166852
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 2 min, 37 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Still need to do AdwCleaner

Chris Haslam
2022-03-06, 04:29
Prompts for Anti-Malware were somewhat different from those you listed.

I found no choice but to start a 14-day trial of Premium.

I read in the enigmasoftware.com article that VxLock sometimes masquerades as IE. I almost never ran IE.

...chris

Chris Haslam
2022-03-06, 04:54
# -------------------------------
# Malwarebytes AdwCleaner 8.3.1.0
# -------------------------------
# Build: 11-18-2021
# Database: 2022-02-03.4 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start: 03-05-2022
# Duration: 00:00:14
# OS: Windows 7 Professional
# Scanned: 32048
# Detected: 6


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.Legacy HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com
PUP.Optional.Legacy HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com
PUP.Optional.Legacy HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

No Preinstalled Software found.



########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########

I look forward to your further help.

...chris

Chris Haslam
2022-03-06, 04:55
I recognize none of the registry entries. Perhaps you do.

Juliet
2022-03-06, 17:16
I recognize none of the registry entries. Perhaps you do.

I do and I'm not worried with them, those are removable.

http://i.imgur.com/xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

Please download Farbar Recovery Scan Tool (x32) (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/) or Farbar Recovery Scan Tool (x64) (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/) and save the file to your Desktop.
Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
Right-Click FRST.exe / FRST64.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Click Yes to the disclaimer.
Ensure the Addition.txt box is checked.
Click the Scan button and let the programme run.
Upon completion, click OK, then OK on the Addition.txt pop up screen.
Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.

(Scan times will vary from one system to another. Sometimes the scan may appear to hang and you may even see a message that says, Program not responding. Most likely that will be temporary and the scan will resume on its own. It is not unusual for a complete scan to take up to10 minutes or even longer depending on what the scan is finding.)

Chris Haslam
2022-03-29, 21:14
Sorry for the delay in replying. gmail didn't forward your post to my normal email address.

I downloaded Frabar.[LIST]
I downloaded Farbar to the Desktop
I right-clicked on FRST.exe and selected Run as administrator
Live Protection: SS&D complained: Gen:Variant.Graftor.896249 infection! Spybot has identified and blocked ... C:\Users\...\Desktop\FRST.exe
i clicked on Caancel

What should I do?

Juliet
2022-03-30, 00:33
yes. and post the 2 logs it will create.

Juliet
2022-03-30, 02:21
I've got to call it a night, I'll check back first thing in the morning.

Chris Haslam
2022-04-09, 20:38
addition.txt
-----------
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 05-04-2022
Ran by Chris (09-04-2022 13:28:54)
Running from C:\Users\Chris\Desktop
Microsoft Windows 7 Professional Service Pack 1 (X86) (2013-10-12 00:27:21)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================


(If an entry is included in the fixlist, it will be removed.)

Administrator (S-1-5-21-4166634823-2150066620-1418166359-500 - Administrator - Disabled)
ASPNET (S-1-5-21-4166634823-2150066620-1418166359-1023 - Limited - Enabled)
Chris (S-1-5-21-4166634823-2150066620-1418166359-1000 - Administrator - Enabled) => C:\Users\Chris
Guest (S-1-5-21-4166634823-2150066620-1418166359-501 - Limited - Enabled)
HomeGroupUser$ (S-1-5-21-4166634823-2150066620-1418166359-1007 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Spybot - Search and Destroy (Enabled - Up to date) {F77C7796-45C4-531E-0DAE-B4A8229B11C8}
AS: Spybot - Search and Destroy (Enabled - Up to date) {4C1D9672-63FE-5C90-371E-8FDA591C5B75}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

32 Bit HP CIO Components Installer (HKLM\...\{A80FA752-C491-4ED9-ABF0-4278563160B2}) (Version: 7.1.8 - Hewlett-Packard) Hidden
7-Zip 17.01 beta (HKLM\...\7-Zip) (Version: 17.01 beta - Igor Pavlov)
Acronis True Image (HKLM\...\{A46CEE04-E692-47C9-B04A-BD849DD8AB65}) (Version: 23.6.18100 - Acronis) Hidden
Acronis True Image (HKLM\...\{A46CEE04-E692-47C9-B04A-BD849DD8AB65}Visible) (Version: 23.6.18100 - Acronis)
Acronis Universal Restore Bootable Media Builder (HKLM\...\{D8DCEF7C-9698-46FF-A1CB-89FAB7712E9E}) (Version: 11.7.40250 - Acronis)
Autodesk DWG TrueView 2016 - English (HKLM\...\DWG TrueView 2016 - English) (Version: 20.1.49.0 - Autodesk)
AutoIt Debugger 0.47.0 (HKLM\...\AutoIt Debugger) (Version: 0.47.0 - Essential Software)
AutoIt v3.3.14.5 (HKLM\...\AutoItv3) (Version: 3.3.14.5 - AutoIt Team)
AutoIt v3.3.15.3 (Beta) (HKLM\...\AutoItv3beta) (Version: 3.3.15.3 - AutoIt Team)
BabaCAD (HKLM\...\{FF8C8DDD-70E5-493E-92B6-296334F0601B}) (Version: 1.3.4 - BabaCAD)
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Canon CanoScan LiDE 220 On-screen Manual (HKLM\...\Canon CanoScan LiDE 220 On-screen Manual) (Version: 7.7.0 - Canon Inc.)
Canon IJ Scan Utility (HKLM\...\Canon_IJ_Scan_Utility) (Version: 1.1.11.1 - Canon Inc.)
CanoScan LiDE 220 Scanner Driver (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ4811) (Version: 1.00 - Canon Inc.)
Classic Shell (HKLM\...\{E0E49E80-19DE-43FE-BFF2-8C58DDF3C7F9}) (Version: 4.1.0 - IvoSoft)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
CuteFTP (HKLM\...\CuteFTP) (Version: - )
CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version: 3.0 - CutePDF.com)
Diskeeper 16 (HKLM\...\{24CA6BF3-C7E2-4E11-9009-A0A34B97413E}) (Version: 19.0.1214.32 - Condusiv Technologies)
DraftSight 2015 SP1 (HKLM\...\{FA2DA057-6711-4830-9D29-8F7C9BA77BAD}) (Version: 13.1.1091 - Dassault Systemes)
eMachineShop version 1.929 (HKLM\...\eMachineShop_is1) (Version: 1.929 - eMachineShop)
FileZilla Client 3.58.0 (HKLM\...\FileZilla Client) (Version: 3.58.0 - Tim Kosse)
Fine Homebuilding Archive 2011 (HKLM\...\{FC3523BB-134E-494C-957F-53DD2651A0ED}) (Version: 1.3.0000 - )
Foxit PDF Reader (HKLM\...\Foxit Reader_is1) (Version: 11.2.1.53537 - Foxit Software Inc.)
GoldWave v5.70 (HKLM\...\GoldWave v5.70) (Version: 5.70 - GoldWave Inc.)
Google Chrome (HKLM\...\Google Chrome) (Version: 100.0.4896.75 - Google LLC)
Google Update Helper (HKLM\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
GWX Control Panel (HKLM\...\UltimateOutsider_GwxControlPanel) (Version: - UltimateOutsider)
HP Customer Participation Program 8.0 (HKLM\...\HPExtendedCapabilities) (Version: 8.0 - HP)
HP LaserJet 3050/3052/3055/3390/3392 4.0 (HKLM\...\HP LaserJet 3050/3052/3055/3390/3392) (Version: 4.0 - HP)
HP Update (HKLM\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
Intel(R) Management Engine Components (HKLM\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel(R) Processor Graphics (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.2932 - Intel Corporation)
Intel(R) SDK for OpenCL - CPU Only Runtime Package (HKLM\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
Intel(R) Update Manager (HKLM\...\{7224B7CE-196C-4E2A-A1AE-1D7BF259FD36}) (Version: 3.4.1942 - Intel Corporation)
Intel® SSD Toolbox (HKLM\...\{06D085C8-1F00-11B2-96A7-8f0CE39193ED}) (Version: 3.4.6.400 - Intel Corporation)
IrfanView 4.57 (32-bit) (HKLM\...\IrfanView) (Version: 4.57 - Irfan Skiljan)
Malwarebytes version 4.3.0.98 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.3.0.98 - Malwarebytes)
Microsoft .NET Framework 1.1 (HKLM\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office 97, Professional Edition (HKLM\...\Office8.0) (Version: - )
Microsoft Office Word Viewer 2003 (HKLM\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.16.27012 (HKLM\...\{67f67547-9693-4937-aa13-56e296bd40f6}) (Version: 14.16.27012.6 - Microsoft Corporation)
Mozilla Firefox (x86 en-US) (HKLM\...\Mozilla Firefox 99.0 (x86 en-US)) (Version: 99.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 99.0.0.8124 - Mozilla)
MSXML 4.0 SP3 Parser (HKLM\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
Nuance PaperPort 12 (HKLM\...\{D08D765A-2191-4210-9711-30FF98806770}) (Version: 12.1.0005 - Nuance Communications, Inc.)
Pegasus Mail (HKLM\...\Pegasus Mail) (Version: - David Harris)
Pegasus Mail HTML Renderer 2.4.10.3 (HKLM\...\{A9F5E1E1-1281-4862-90B4-6CF8E6AF83CE}_is1) (Version: - Micha's Midnight Manufacture)
Pegasus Mail v4.73 (HKLM\...\{6998396E-6D20-48FE-9200-4C9DFAFCED54}_is1) (Version: 4.73 - David Harris)
PowerDesk 9 (HKLM\...\{C4E1D1E5-0F67-463D-BD07-A24742AA7469}) (Version: 9.0.0.0 - Avanquest North America Inc.)
Realtek Ethernet Controller Driver (HKLM\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.65.1025.2012 - Realtek)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6767 - Realtek Semiconductor Corp.)
Recuva (HKLM\...\Recuva) (Version: 1.53 - Piriform)
SciTE4AutoIt3 17.224.935.0 (HKLM\...\SciTE4AutoIt3) (Version: 17.224.935.0 - Jos van der Zande)
SharpKeys (HKLM\...\{636E94DA-99C0-448F-A931-3DAD83B4975F}) (Version: 3.5.0000 - RandyRants.com)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.9.82.0 - Safer-Networking Ltd.)
Spybot Anti-Beacon (32-bit) (HKLM\...\{419A7FCF-93E1-474D-BFE9-987CF3F90C88}_is1) (Version: 3.5 - Safer-Networking Ltd.)
StudioTax 2016 (HKLM\...\{6DB3D78B-0756-4B0C-AC1B-0775378B90A0}) (Version: 12.0.10.1 - BHOK IT Consulting)
StudioTax 2017 (HKLM\...\{E5FF3290-BB3F-471A-8BDA-96135C3B69A8}) (Version: 13.0.4.0 - BHOK IT Consulting)
StudioTax 2018 (HKLM\...\{E3B7A312-0487-4261-B76D-1C94F2FAE38B}) (Version: 14.0.4.0 - BHOK IT Consulting)
StudioTax 2019 (HKLM\...\{DF514EC7-A25D-48D2-954F-93AE3837F2AB}) (Version: 15.0.5.0 - BHOK IT Consulting)
StudioTax 2020 (HKLM\...\{00A4E24D-F868-4D20-83E2-4EC0A569B305}) (Version: 16.0.6.0 - BHOK IT Consulting Inc.)
StudioTax 2021 (HKLM\...\{B409725E-D2DB-40F6-95D9-B7C0A6F638D8}) (Version: 17.0.3.0 - BHOK IT Consulting Inc.)
System Requirements Lab for Intel (HKLM\...\{C7CA731B-BF9A-46D9-92CF-8A8737AE9240}) (Version: 4.5.13.0 - Husdawg, LLC)
TextPad 5 (HKLM\...\{B6EC7388-E277-4A5B-8C8F-71067A41BA64}) (Version: 5.4.0 - Helios)
Visual Basic 5.0 Professional Edition (HKLM\...\VB5) (Version: - )
Windows Resource Kit Tools (HKLM\...\{FA237125-51FF-408C-8BB8-30C2B3DFFF9C}) (Version: 5.2.3790 - Microsoft Corporation)
WordPerfect IFilter 32 bit (HKLM\...\{1DF03ECE-6AF4-414E-B118-C316F151A9A2}) (Version: 1.4 - Corel Corporation)
WordPerfect Office X6 - Common Files (HKLM\...\{315FE707-7A15-4B1B-8C5A-955428AAA01D}) (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - Common Files English (HKLM\...\{E1AF3785-AA77-471E-ABC5-4C2B459B877A}) (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Extras (HKLM\...\{98F94B9C-9FF5-4053-85A6-3D4F3FA3EBA0}) (Version: 1.00.0000 - Corel Corporation)
WordPerfect Office X6 - IPM (HKLM\...\{230100D9-27B4-49A3-A30F-D44B51EF56AA}) (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Lightning Files (HKLM\...\{440F51A9-8CA3-41D7-AFD5-F47820895949}) (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Lightning Files English (HKLM\...\{C4D92146-95DE-415A-99CC-51FBFF7C10CF}) (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Oxford (HKLM\...\{8959569B-D9BA-43A9-972A-D509EE7D4BA9}) (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Presentations Files (HKLM\...\{EAA5C699-6DB5-4508-BD64-B79EB9409C9D}) (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Presentations Files English (HKLM\...\{86ACFB25-0FA5-4A01-96B5-EE8F229D456E}) (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Quattro Pro Files (HKLM\...\{069793F3-E123-47B9-88DB-5DE76FF32ADB}) (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - Quattro Pro Files English (HKLM\...\{10FFE1D7-6A72-4483-9856-1A2FBBC5A425}) (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Setup Files (HKLM\...\{26D6D2A4-F08A-4212-86E7-7F1F75033610}) (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - System Files (HKLM\...\{8270ABE3-53A5-4046-BF84-EB5FBB0F5B10}) (Version: 15.0 - Corel Corporation) Hidden
WordPerfect Office X6 - WordPerfect Files (HKLM\...\{CCADD122-70A5-47A6-8722-1BD5267B85F5}) (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - WordPerfect Files English (HKLM\...\{CD29C36F-2C6D-4ED3-BC21-B20C8038E9A5}) (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - WT (HKLM\...\{0F7A0D0F-6576-489E-B20B-B7C8F95BBCC3}) (Version: 16.1 - Corel Corporation) Hidden
WordPerfect Office X6 (HKLM\...\_{26D6D2A4-F08A-4212-86E7-7F1F75033610}) (Version: 16.0.0.428 - Corel Corporation)
WordPerfect Office X6 (HKLM\...\{F6582F6F-6CD1-4B62-8BC6-EACF98AF410F}) (Version: 16.1 - Corel Corporation) Hidden
WordPerfect Office X6 SDK (HKLM\...\{D57A4C2B-C92F-46BF-9EFE-4EDD49E88628}) (Version: 16.0.0.388 - Corel Corporation)
WordPerfect OfficeReady (HKLM\...\{737D7CA8-D05C-46C7-AFED-A76616E8CA3B}) (Version: 1.0 - Corel Corporation.)
XML Notepad 2007 (HKLM\...\{FC7BACF0-1FFA-4605-B3B4-A66AB382752D}) (Version: 2.3.0.0 - Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{149DD748-EA85-45A6-93C5-AC50D0260C98}\localserver32 -> F:\Program Files\Autodesk\DWG TrueView 2016 - English\dwgviewr.exe (Autodesk, Inc -> Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{28D8ABA0-4B78-11CE-B27D-00AA001F73C1}\InprocServer32 -> C:\Program Files\Windows Resource Kits\Tools\iviewers.dll (Microsoft Corporation) [File not signed]
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{3faa4380-a399-11cf-a466-00805fe418f6}\InprocServer32 -> F:\Program Files\Autodesk\DWG TrueView 2016 - English\en-US\dwgviewrficn.dll (Autodesk, Inc -> Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{57EFBF49-4A8B-11CE-870B-0800368D2302}\InprocServer32 -> C:\Program Files\Windows Resource Kits\Tools\iviewers.dll (Microsoft Corporation) [File not signed]
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{7CE551EA-F85C-11CE-9059-080036F12502}\InprocServer32 -> C:\Program Files\Windows Resource Kits\Tools\iviewers.dll (Microsoft Corporation) [File not signed]
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{7CE551EB-F85C-11CE-9059-080036F12502}\InprocServer32 -> C:\Program Files\Windows Resource Kits\Tools\iviewers.dll (Microsoft Corporation) [File not signed]
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{ABECE8A0-FF84-4efb-82AE-9B3181CE097D}\InprocServer32 -> F:\Program Files\TextPad 5\System\shellext32.dll (Helios Software Solutions) [File not signed]
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{D2AF7A60-4C42-11CE-B27D-00AA001F73C1}\InprocServer32 -> C:\Program Files\Windows Resource Kits\Tools\iviewers.dll (Microsoft Corporation) [File not signed]
ShellIconOverlayIdentifiers: [ AcronisDrive] -> {5D74FD4B-4EFB-4586-8022-8637BBE40970} => C:\Program Files\Acronis\TrueImageHome\tishell.dll [2019-03-25] (Acronis International GmbH -> )
ShellIconOverlayIdentifiers: [ AcronisSyncError] -> {934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} => C:\Program Files\Acronis\TrueImageHome\tishell.dll [2019-03-25] (Acronis International GmbH -> )
ShellIconOverlayIdentifiers: [ AcronisSyncInProgress] -> {00F848DC-B1D4-4892-9C25-CAADC86A215D} => C:\Program Files\Acronis\TrueImageHome\tishell.dll [2019-03-25] (Acronis International GmbH -> )
ShellIconOverlayIdentifiers: [ AcronisSyncOk] -> {71573297-552E-46fc-BE3D-3DFAF88D47B7} => C:\Program Files\Acronis\TrueImageHome\tishell.dll [2019-03-25] (Acronis International GmbH -> )
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\system32\AcSignIcon.dll [2015-02-06] (Autodesk, Inc -> Autodesk, Inc.)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (Ivaylo Beltchev -> IvoSoft) [File not signed]
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => F:\Program Files\7-Zip\7-zip.dll [2017-08-28] (Igor Pavlov) [File not signed]
ContextMenuHandlers1: [AcShellExtension.AcContextMenuHandler] -> {2E7A2C6C-B938-40a4-BA1C-C7EC982DC202} => C:\Program Files\Common Files\Autodesk Shared\AcShellEx\AcShellExtension.dll [2015-02-06] (Autodesk, Inc -> Autodesk)
ContextMenuHandlers1: [ANotepad++] -> {00F3C2EC-A6EE-11DE-A03A-EF8F55D89593} => F:\Program Files\Notepad++\NppShell_05.dll -> No File
ContextMenuHandlers1: [CuteFTP] -> {8f7261d0-d2b9-11d2-9909-00605205b24c} => F:\Program Files\GlobalSCAPE\CuteFTP\CuteShell.dll [2000-09-26] () [File not signed]
ContextMenuHandlers1: [PowerDesk Menu] -> {26E7F081-EB97-11d3-9239-006008D2D00F} => F:\Program Files\Avanquest\PowerDesk\PDShExt.dll [2012-12-14] (Avanquest Publishing USA, Inc.) [File not signed]
ContextMenuHandlers1: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files\Spybot - Search & Destroy 2\SDECon32.dll [2021-12-21] (Safer-Networking Limited -> Safer-Networking Ltd.)
ContextMenuHandlers2: [CuteFTP] -> {8f7261d0-d2b9-11d2-9909-00605205b24c} => F:\Program Files\GlobalSCAPE\CuteFTP\CuteShell.dll [2000-09-26] () [File not signed]
ContextMenuHandlers2: [QuickFinderMenu] -> {45dfc9aa-83c4-4ded-bc9d-f0442b4b02ea} => f:\Program Files\Corel\WordPerfect Office X6\Programs\PFSE160.DLL [2012-10-31] (Corel Corporation -> Corel Corporation)
ContextMenuHandlers2: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files\Spybot - Search & Destroy 2\SDECon32.dll [2021-12-21] (Safer-Networking Limited -> Safer-Networking Ltd.)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => F:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2022-03-05] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers3: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files\Spybot - Search & Destroy 2\SDECon32.dll [2021-12-21] (Safer-Networking Limited -> Safer-Networking Ltd.)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => F:\Program Files\7-Zip\7-zip.dll [2017-08-28] (Igor Pavlov) [File not signed]
ContextMenuHandlers4: [CuteFTP] -> {8f7261d0-d2b9-11d2-9909-00605205b24c} => F:\Program Files\GlobalSCAPE\CuteFTP\CuteShell.dll [2000-09-26] () [File not signed]
ContextMenuHandlers4: [PowerDesk Menu] -> {26E7F081-EB97-11d3-9239-006008D2D00F} => F:\Program Files\Avanquest\PowerDesk\PDShExt.dll [2012-12-14] (Avanquest Publishing USA, Inc.) [File not signed]
ContextMenuHandlers4: [QuickFinderMenu] -> {45dfc9aa-83c4-4ded-bc9d-f0442b4b02ea} => f:\Program Files\Corel\WordPerfect Office X6\Programs\PFSE160.DLL [2012-10-31] (Corel Corporation -> Corel Corporation)
ContextMenuHandlers4: [RecuvaShellExt] -> {435E5DF5-2510-463C-B223-BDA47006D002} => C:\Program Files\Recuva\RecuvaShell.dll [2016-06-06] (Piriform Ltd -> Piriform Ltd)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2012-12-14] (Microsoft Windows Hardware Compatibility Publisher -> Intel Corporation)
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => F:\Program Files\7-Zip\7-zip.dll [2017-08-28] (Igor Pavlov) [File not signed]
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => F:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2022-03-05] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers6: [RecuvaShellExt] -> {435E5DF5-2510-463C-B223-BDA47006D002} => C:\Program Files\Recuva\RecuvaShell.dll [2016-06-06] (Piriform Ltd -> Piriform Ltd)
ContextMenuHandlers6: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files\Spybot - Search & Destroy 2\SDECon32.dll [2021-12-21] (Safer-Networking Limited -> Safer-Networking Ltd.)
ContextMenuHandlers6: [StartMenuExt] -> {E595F05F-903F-4318-8B0A-7F633B520D2B} => C:\Windows\system32\StartMenuHelper32.dll [2014-04-20] (Ivaylo Beltchev -> IvoSoft) [File not signed]
ContextMenuHandlers1_S-1-5-21-4166634823-2150066620-1418166359-1000: [TextPad] -> {ABECE8A0-FF84-4efb-82AE-9B3181CE097D} => F:\Program Files\TextPad 5\System\shellext32.dll [2007-03-27] (Helios Software Solutions) [File not signed]

==================== Codecs (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Drivers32: [vidc.iv50] => C:\Windows\system32\ir50_32.dll [746496 2009-07-13] (Microsoft Windows -> Intel Corporation)

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name="BVTConsumer"",Filter="__EventFilter.Name="BVTFilter"::
WMI:subscription\__EventFilter->BVTFilter::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99]
WMI:subscription\CommandLineEventConsumer->BVTConsumer::[CommandLineTemplate => cscript KernCap.vbs][WorkingDirectory => C:\\tools\\kernrate]
Shortcut: C:\Users\Chris\Desktop\schmgrReport.bat.lnk -> F:\AutoIt scripts\ATIH backup settings\schmgrReport.bat ()

==================== Loaded Modules (Whitelisted) =============

2016-11-09 17:33 - 2016-11-09 17:33 - 000026112 _____ () [File not signed] C:\Program Files\Condusiv Technologies\Diskeeper\boost_chrono-vc110-mt-1_54.dll
2016-11-09 17:33 - 2016-11-09 17:33 - 000041472 _____ () [File not signed] C:\Program Files\Condusiv Technologies\Diskeeper\boost_date_time-vc110-mt-1_54.dll
2016-11-09 17:33 - 2016-11-09 17:33 - 000101376 _____ () [File not signed] C:\Program Files\Condusiv Technologies\Diskeeper\boost_filesystem-vc110-mt-1_54.dll
2016-11-09 17:33 - 2016-11-09 17:33 - 000532480 _____ () [File not signed] C:\Program Files\Condusiv Technologies\Diskeeper\boost_log-vc110-mt-1_54.dll
2016-11-09 17:33 - 2016-11-09 17:33 - 000016896 _____ () [File not signed] C:\Program Files\Condusiv Technologies\Diskeeper\boost_system-vc110-mt-1_54.dll
2016-11-09 17:33 - 2016-11-09 17:33 - 000081408 _____ () [File not signed] C:\Program Files\Condusiv Technologies\Diskeeper\boost_thread-vc110-mt-1_54.dll
2007-05-03 17:38 - 2007-05-03 17:38 - 000036864 _____ () [File not signed] c:\program files\hp\hp ut\bin\enumeration.dll
2007-05-03 17:38 - 2007-05-03 17:38 - 000016384 _____ () [File not signed] c:\program files\hp\hp ut\bin\hpstreamsinterface.dll
2007-05-03 17:38 - 2007-05-03 17:38 - 000110592 _____ () [File not signed] c:\program files\hp\hp ut\bin\hptoolkit.dll
2007-05-03 17:38 - 2007-05-03 17:38 - 000061440 _____ () [File not signed] c:\program files\hp\hp ut\bin\hptools.dll
2007-05-03 17:38 - 2007-05-03 17:38 - 000057344 _____ () [File not signed] c:\program files\hp\hp ut\bin\hpusagetracking.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 000010752 _____ () [File not signed] c:\windows\assembly\gac\interop.hpqusg\3.0.0.0__a53cf5803f4c3827\interop.hpqusg.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 003289088 _____ () [File not signed] c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_d3f5dc3c\mscorlib.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 002994176 _____ () [File not signed] c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_8cb17cfd\system.windows.forms.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 002076672 _____ () [File not signed] c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_eadb1e09\system.xml.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 001929216 _____ () [File not signed] c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_9009abfc\system.dll
1997-07-11 00:00 - 1997-07-11 00:00 - 000022016 _____ () [File not signed] C:\Windows\system32\docobj.dll
2012-12-14 11:50 - 2012-12-14 11:50 - 000107520 _____ () [File not signed] C:\Windows\system32\FileMonitor32.dll
2014-06-04 06:43 - 2014-06-04 06:43 - 000204800 _____ () [File not signed] C:\Windows\System32\lmadxninpa.DLL
2014-06-04 06:43 - 2014-06-04 06:43 - 001126400 _____ () [File not signed] C:\Windows\System32\LMADXNLANG.DLL
2013-10-16 13:08 - 2012-08-31 15:01 - 000069632 _____ () [File not signed] C:\Windows\system32\spool\PRTPROCS\W32X86\HP1100PP.DLL
2012-12-14 11:51 - 2012-12-14 11:51 - 000011264 _____ () [File not signed] F:\Program Files\Avanquest\PowerDesk\DClickDesktopHook.dll
2012-12-14 11:36 - 2012-12-14 11:36 - 000011264 _____ () [File not signed] F:\Program Files\Avanquest\PowerDesk\mxcview.dll
2012-12-14 11:37 - 2012-12-14 11:37 - 000111616 _____ () [File not signed] F:\Program Files\Avanquest\PowerDesk\mxgview.dll
2013-10-29 11:08 - 2000-09-26 07:38 - 000143360 _____ () [File not signed] F:\Program Files\GlobalSCAPE\CuteFTP\CuteShell.dll
2015-03-17 18:01 - 2012-08-03 06:43 - 000548864 ____N () [File not signed] F:\Program Files\Lexmark\ErrorApp\lm__ac.dll
2015-03-17 18:01 - 2012-08-07 08:37 - 000217088 ____N () [File not signed] F:\Program Files\Lexmark\ErrorApp\lmab1err.dll
2012-12-14 11:52 - 2012-12-14 11:52 - 000314368 _____ (Avanquest Publishing USA, Inc.) [File not signed] F:\Program Files\Avanquest\PowerDesk\PDShExt.dll
2012-12-14 11:41 - 2012-12-14 11:41 - 000122368 _____ (Avanquest Software) [File not signed] F:\Program Files\Avanquest\PowerDesk\MXPM.DLL
2012-12-14 11:43 - 2012-12-14 11:43 - 000123392 _____ (Avanquest Software) [File not signed] F:\Program Files\Avanquest\PowerDesk\pddlghlp.dll
2005-09-07 13:03 - 2005-09-07 13:03 - 000036864 _____ (Black Ice Software, Inc.) [File not signed] C:\Program Files\Nuance\PaperPort\blicectr.dll
2016-11-09 17:32 - 2016-11-09 17:32 - 000620032 _____ (Condusiv Technologies) [File not signed] C:\Program Files\Condusiv Technologies\Diskeeper\Common.dll
2016-11-09 17:33 - 2016-11-09 17:33 - 000142848 _____ (Condusiv Technologies) [File not signed] C:\Program Files\Condusiv Technologies\Diskeeper\DkTabProvider.dll
2015-01-14 07:00 - 2015-01-14 07:00 - 004118528 _____ (Digia Plc and/or its subsidiary(-ies)) [File not signed] C:\Program Files\Dassault Systemes\DraftSight\bin\Qt5Core.dll
2015-01-14 07:00 - 2015-01-14 07:00 - 000848384 _____ (Digia Plc and/or its subsidiary(-ies)) [File not signed] C:\Program Files\Dassault Systemes\DraftSight\bin\Qt5Network.dll
2015-01-14 07:00 - 2015-01-14 07:00 - 000153088 _____ (Digia Plc and/or its subsidiary(-ies)) [File not signed] C:\Program Files\Dassault Systemes\DraftSight\bin\Qt5Xml.dll
2007-03-27 15:24 - 2007-03-27 15:24 - 000061440 _____ (Helios Software Solutions) [File not signed] F:\Program Files\TextPad 5\System\shellext32.dll
2007-01-15 13:16 - 2007-01-15 13:16 - 000114688 _____ (Hewlett Packard) [File not signed] C:\Windows\System32\hptcpmib.dll
2007-01-15 13:17 - 2007-01-15 13:17 - 000172032 _____ (Hewlett Packard) [File not signed] C:\Windows\System32\HpTcpMon.dll
2006-10-03 11:55 - 2006-10-03 11:55 - 000139264 _____ (Hewlett Packard) [File not signed] C:\Windows\System32\hpzjrd01.dll
2006-12-12 00:45 - 2006-12-12 00:45 - 000401408 _____ (Hewlett-Packard Co.) [File not signed] C:\Program Files\HP\Digital Imaging\bin\hpqusg.dll
2007-05-23 21:22 - 2007-05-23 21:22 - 000030720 _____ (Hewlett-Packard Company) [File not signed] C:\Windows\System32\hpz3llhn.dll
2013-11-17 23:25 - 2007-01-25 14:24 - 000286208 _____ (Hewlett-Packard Corporation) [File not signed] C:\Windows\system32\spool\PRTPROCS\W32X86\hpzpp4wm.DLL
2015-03-21 10:17 - 2007-05-23 21:22 - 000089600 _____ (Hewlett-Packard Corporation) [File not signed] C:\Windows\system32\spool\PRTPROCS\W32X86\hpzpplhn.dll
2006-08-30 13:32 - 2006-08-30 13:32 - 000049152 _____ (Hewlett-Packard) [File not signed] C:\Windows\system32\FXCompChannel.DLL
2007-03-09 03:19 - 2007-03-09 03:19 - 000077824 _____ (Hewlett-Packard) [File not signed] C:\Windows\System32\hppaecpm.dll
2007-03-22 12:45 - 2007-03-22 12:45 - 000573440 _____ (Hewlett-Packard) [File not signed] C:\Windows\system32\hpxp3390.dll
2010-08-06 12:13 - 2010-08-06 12:13 - 000044032 _____ (Hewlett-Packard) [File not signed] c:\windows\system32\hpzinw12.dll
2010-08-06 12:13 - 2010-08-06 12:13 - 000053760 _____ (Hewlett-Packard) [File not signed] c:\windows\system32\hpzipm12.dll
2017-11-29 18:36 - 2017-08-28 06:40 - 000049152 ____N (Igor Pavlov) [File not signed] F:\Program Files\7-Zip\7-zip.dll
2014-04-20 10:17 - 2014-04-20 10:17 - 000683200 ____N (Ivaylo Beltchev -> IvoSoft) [File not signed] C:\Program Files\Classic Shell\ClassicExplorer32.dll
2014-04-20 10:17 - 2014-04-20 10:17 - 003003584 ____N (Ivaylo Beltchev -> IvoSoft) [File not signed] C:\Program Files\Classic Shell\ClassicStartMenuDLL.dll
2014-04-20 10:17 - 2014-04-20 10:17 - 000244928 _____ (Ivaylo Beltchev -> IvoSoft) [File not signed] C:\Windows\system32\StartMenuHelper32.dll
2002-04-10 10:19 - 2002-04-10 10:19 - 000118784 _____ (LEAD Technologies, Inc.) [File not signed] C:\Windows\System32\LTFIL11n.DLL
2002-04-10 10:19 - 2002-04-10 10:19 - 000392192 _____ (LEAD Technologies, Inc.) [File not signed] C:\Windows\System32\LTKRN11n.dll
2015-03-17 18:02 - 2014-06-04 06:43 - 000212480 _____ (Lexmark International Inc.) [File not signed] C:\Windows\system32\spool\PRTPROCS\W32X86\LMADXN4C.DLL
2009-06-25 09:27 - 2009-06-25 09:27 - 000376832 _____ (Marvell Semiconductor, Inc.) [File not signed] C:\Windows\System32\mvtcpmon.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 000131072 _____ (Microsoft Corporation) [File not signed] c:\windows\assembly\gac\system.runtime.serialization.formatters.soap\1.0.5000.0__b03f5f7f11d50a3a\system.runtime.serialization.formatters.soap.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 002039808 _____ (Microsoft Corporation) [File not signed] c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 001335296 _____ (Microsoft Corporation) [File not signed] c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 001216512 _____ (Microsoft Corporation) [File not signed] c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll
2003-02-20 20:06 - 2003-02-20 20:06 - 000282624 _____ (Microsoft Corporation) [File not signed] C:\Windows\Microsoft.NET\Framework\v1.1.4322\fusion.dll
2003-02-20 20:06 - 2003-02-20 20:06 - 000311296 _____ (Microsoft Corporation) [File not signed] C:\Windows\Microsoft.NET\Framework\v1.1.4322\MSCORJIT.DLL
2003-02-21 08:26 - 2003-02-21 08:26 - 002088960 _____ (Microsoft Corporation) [File not signed] c:\windows\microsoft.net\framework\v1.1.4322\mscorlib.dll
2003-02-20 20:09 - 2003-02-20 20:09 - 000077824 _____ (Microsoft Corporation) [File not signed] C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
2003-02-20 20:08 - 2003-02-20 20:08 - 002482176 _____ (Microsoft Corporation) [File not signed] C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
2003-02-21 05:42 - 2003-02-21 05:42 - 000348160 _____ (Microsoft Corporation) [File not signed] C:\Windows\Microsoft.NET\Framework\v1.1.4322\MSVCR71.dll
2007-01-15 13:20 - 2007-01-15 13:20 - 000241664 _____ (Microsoft Corporation) [File not signed] C:\Windows\System32\HPTcpMUI.dll
2013-11-03 14:51 - 2014-06-04 06:43 - 000758784 _____ (Microsoft Corporation) [File not signed] C:\Windows\system32\spool\DRIVERS\W32X86\3\PS5UI.DLL
2013-11-03 14:51 - 2014-06-04 06:43 - 000558080 _____ (Microsoft Corporation) [File not signed] C:\Windows\system32\spool\DRIVERS\W32X86\3\PSCRIPT5.DLL
2013-10-25 14:13 - 2013-10-25 14:13 - 000097280 _____ (Microsoft Corporation) [File not signed] C:\Windows\WinSxS\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d1cb102c435421de\ATL80.DLL
2009-06-25 09:26 - 2009-06-25 09:26 - 000126976 _____ (OpenSLP) [File not signed] C:\Windows\System32\slp32.dll
2022-02-26 14:18 - 2021-06-19 02:55 - 001079909 _____ (SQLite Development Team) [File not signed] C:\Program Files\Spybot - Search & Destroy 2\sqlite3.dll
2012-12-14 11:28 - 2012-12-14 11:28 - 000696832 _____ (STLport Consulting, Inc.) [File not signed] F:\Program Files\Avanquest\PowerDesk\stlport.5.2.dll
2019-03-25 21:30 - 2019-03-25 21:30 - 025338368 _____ (The ICU Project) [File not signed] C:\Program Files\Acronis\TrueImageHome\icudt54.dll
2019-03-25 21:30 - 2019-03-25 21:30 - 002056704 _____ (The ICU Project) [File not signed] C:\Program Files\Acronis\TrueImageHome\icuin54.dll
2019-03-25 21:30 - 2019-03-25 21:30 - 001425408 _____ (The ICU Project) [File not signed] C:\Program Files\Acronis\TrueImageHome\icuuc54.dll
2015-01-14 07:00 - 2015-01-14 07:00 - 023512540 _____ (The ICU Project) [File not signed] C:\Program Files\Dassault Systemes\DraftSight\bin\icudt52.dll
2015-01-14 07:00 - 2015-01-14 07:00 - 001424345 _____ (The ICU Project) [File not signed] C:\Program Files\Dassault Systemes\DraftSight\bin\icuin52.dll
2015-01-14 07:00 - 2015-01-14 07:00 - 001072602 _____ (The ICU Project) [File not signed] C:\Program Files\Dassault Systemes\DraftSight\bin\icuuc52.dll
2016-11-09 17:33 - 2016-11-09 17:33 - 001295872 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\Program Files\Condusiv Technologies\Diskeeper\LIBEAY32.dll
2016-11-09 17:33 - 2016-11-09 17:33 - 000273408 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\Program Files\Condusiv Technologies\Diskeeper\SSLEAY32.dll
2022-02-26 14:18 - 2018-11-22 17:48 - 001374208 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\Program Files\Spybot - Search & Destroy 2\libeay32.dll
2022-02-26 14:18 - 2018-11-22 17:48 - 000337920 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\Program Files\Spybot - Search & Destroy 2\ssleay32.dll
2015-03-17 18:01 - 2011-07-07 05:02 - 000335872 ____N (TODO: <Company name>) [File not signed] F:\Program Files\Lexmark\ErrorApp\NpaParser.dll

==================== Alternate Data Streams (Whitelisted) ========

==================== Safe Mode (Whitelisted) ==================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) =================

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Classes\.scr: DWGTrueViewScriptFile => C:\Windows\system32\notepad.exe "%1"

==================== Internet Explorer (Version 11) (Whitelisted) ==========

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\.DEFAULT -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (Ivaylo Beltchev -> IvoSoft) [File not signed]
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2014-04-20] (Ivaylo Beltchev -> IvoSoft) [File not signed]
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (Ivaylo Beltchev -> IvoSoft) [File not signed]

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

There are 7947 more sites.

IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\123simsen.com -> www.123simsen.com

There are 7947 more sites.


==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:04 - 2022-04-07 12:30 - 000454336 ____R C:\Windows\system32\drivers\etc\hosts
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123haustiereundmehr.com
127.0.0.1 123moviedownload.com
127.0.0.1 www.123moviedownload.com

There are 15617 more lines.


==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKLM\System\CurrentControlSet\Control\Session Manager\Environment\\Path -> C:\Program Files\Windows Resource Kits\Tools\;C:\Program Files\Intel\iCLS Client\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Intel\OpenCL SDK\2.0\bin\x86;C:\Program Files\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files\Condusiv Technologies\Diskeeper\TCE\;C:\PROGRA~1\CONDUS~1\DISKEE~1\;C:\Program Files\Common Files\Acronis\VirtualFile\;C:\Program Files\Common Files\Acronis\FileProtector\;C:\Program Files\Common Files\Acronis\SnapAPI\
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(If an entry is included in the fixlist, it will be removed.)

MSCONFIG\startupreg: ToolBoxFX => "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) C:\Windows\system32\sppsvc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) C:\Windows\system32\sppsvc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{EBDDD846-801E-48AE-B509-66D8B92650F6}] => (Allow) C:\LJP1100_P1560_P1600_Full_Solution\ProductInst.exe => No File
FirewallRules: [{26FC5F17-CF91-4358-AF93-570262B89E2C}] => (Allow) C:\LJP1100_P1560_P1600_Full_Solution\ProductInst.exe => No File
FirewallRules: [{98D9F9A5-C382-44C4-A820-78DBDDAEE185}] => (Allow) LPort=9100
FirewallRules: [{1F1D3D76-6FAA-499F-AA0B-038BC0B8D6E9}] => (Allow) LPort=427
FirewallRules: [{47E372C1-8768-4A61-A792-8B5D32A9B6B5}] => (Allow) LPort=161
FirewallRules: [{3E46316B-F4D2-42D3-8643-3DCED4413562}] => (Allow) LPort=427
FirewallRules: [TCP Query User{054A7DAF-2D7E-4FAB-A276-79C5A342F349}F:\program files\globalscape\cuteftp\cutftp32.exe] => (Allow) F:\program files\globalscape\cuteftp\cutftp32.exe (GlobalSCAPE, Inc.) [File not signed]
FirewallRules: [UDP Query User{AAD756BC-2D04-4728-BD30-1576279EBCC3}F:\program files\globalscape\cuteftp\cutftp32.exe] => (Allow) F:\program files\globalscape\cuteftp\cutftp32.exe (GlobalSCAPE, Inc.) [File not signed]
FirewallRules: [{54A4E472-29D2-41CB-BADF-9CA40746588F}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{9E7A7DDD-0863-4017-836A-6DB11A0CDB00}] => (Allow) F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{9C82A641-0877-4AEE-BB08-BE75BE31644B}] => (Allow) F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [TCP Query User{3653838F-07F7-4E0B-A200-119BC5EC4340}F:\program files\mozilla firefox\firefox.exe] => (Block) F:\program files\mozilla firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [UDP Query User{7ABA8A90-407B-430D-8929-2ADDC6CC53D8}F:\program files\mozilla firefox\firefox.exe] => (Block) F:\program files\mozilla firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{C23F12FF-1779-4FC6-B5F7-25A61FA9D289}] => (Allow) F:\Program Files\Lexmark\Status Center\lmsmc.exe (Lexmark International, Inc. -> )
FirewallRules: [{BFE09928-4791-40DB-B097-CEA2FDF4C003}] => (Allow) F:\Program Files\Lexmark\Status Center\lmsmc.exe (Lexmark International, Inc. -> )
FirewallRules: [{7BEE059F-1A46-4951-8C0A-0E413FA3197F}] => (Allow) D:\Install\x86\InstallGui.exe => No File
FirewallRules: [{4BEC2007-033C-40F2-8E04-EE7D8EF563F3}] => (Allow) D:\Install\x86\InstallGui.exe => No File
FirewallRules: [{6A52C645-0B63-4A90-B661-F728E091C0DD}] => (Allow) F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{45800C23-03CE-431F-A108-73C806C72CE2}] => (Allow) F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{2A893C07-6CEA-4F17-8D03-A953816EAED4}] => (Allow) C:\Program Files\Condusiv Technologies\Diskeeper\DkService.exe (CONDUSIV TECHNOLOGIES -> Condusiv Technologies)
FirewallRules: [{3F74D2B4-D755-448D-9F93-E207206F2E42}] => (Allow) C:\Program Files\Condusiv Technologies\Diskeeper\DkService.exe (CONDUSIV TECHNOLOGIES -> Condusiv Technologies)
FirewallRules: [TCP Query User{8E613441-113C-48BC-B514-00837BBF519C}C:\program files\acronis\trueimagehome\trueimage.exe] => (Allow) C:\program files\acronis\trueimagehome\trueimage.exe (Acronis International GmbH -> )
FirewallRules: [UDP Query User{DCE23AE7-5816-41A4-BD58-415FB3EF031B}C:\program files\acronis\trueimagehome\trueimage.exe] => (Allow) C:\program files\acronis\trueimagehome\trueimage.exe (Acronis International GmbH -> )
FirewallRules: [{F93CEB76-BFC1-4572-A00F-D8CBFD7C1C77}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc. -> Apple Inc.)
FirewallRules: [{FA5580AB-0A43-4E64-9708-F00BBF387691}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc. -> Apple Inc.)
FirewallRules: [TCP Query User{61A06813-CFFF-41C9-A39B-1F9083BC30C1}H:\comments\utilities\cutftp32.exe] => (Allow) H:\comments\utilities\cutftp32.exe => No File
FirewallRules: [UDP Query User{3C1D61AD-6C50-49F8-8116-4FCB9C51652D}H:\comments\utilities\cutftp32.exe] => (Allow) H:\comments\utilities\cutftp32.exe => No File
FirewallRules: [TCP Query User{0304635B-2E24-48AA-A4D6-151934E3F595}F:\program files\filezilla ftp client\filezilla.exe] => (Block) F:\program files\filezilla ftp client\filezilla.exe (Tim Kosse -> FileZilla Project)
FirewallRules: [UDP Query User{1A71B744-E339-42BF-8C3A-4DC75D352C46}F:\program files\filezilla ftp client\filezilla.exe] => (Block) F:\program files\filezilla ftp client\filezilla.exe (Tim Kosse -> FileZilla Project)
FirewallRules: [{3376F186-3350-4145-A787-3AA98DF4E075}] => (Allow) C:\Users\Chris\AppData\Roaming\Zoom\bin\Zoom.exe => No File
FirewallRules: [{045173D7-99E6-436E-8F0A-037BBD9D11C4}] => (Allow) C:\Users\Chris\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{78CF7A5F-F8AA-4D52-AA0E-8761AA743E3A}] => (Allow) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe (Acronis International GmbH -> )
FirewallRules: [{6FFD6A8B-C2B6-4D7A-80C3-81FE04466860}] => (Allow) C:\Program Files\Common Files\Acronis\Infrastructure\mms_mini.exe (Acronis International GmbH -> Acronis International GmbH)
FirewallRules: [{D495AC9E-443E-444B-A0F5-680F9115543A}] => (Allow) C:\Program Files\Acronis\TrueImageHome\TrueImage.exe (Acronis International GmbH -> )
FirewallRules: [{6B5F8350-A2E2-4A14-A3D3-7B4B5F08011A}] => (Allow) C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis International GmbH -> )
FirewallRules: [{A52BE098-6019-4479-B568-41147056B4CD}] => (Allow) C:\Program Files\Acronis\TrueImageHome\TrueImageTools.exe (Acronis International GmbH -> )
FirewallRules: [{9BAF94E4-68C8-4287-88E3-B6217DE30555}] => (Allow) C:\Program Files\Common Files\Acronis\TrueImageHome\TrueImageHomeService.exe (Acronis International GmbH -> )
FirewallRules: [{5A53A078-F3C0-4E78-877F-9580B137F3EA}] => (Allow) C:\Program Files\Acronis\TrueImageHome\MediaBuilder.exe (Acronis International GmbH -> )
FirewallRules: [{0076D6B0-DBC0-4221-8AAD-98C47424F403}] => (Allow) C:\Program Files\Acronis\TrueImageHome\SystemReport.exe (Acronis International GmbH -> )
FirewallRules: [{A122D8EC-869D-4C94-9654-8E82A1F28B59}] => (Allow) C:\Program Files\Acronis\TrueImageHome\acronis_drive.exe (Acronis International GmbH -> )
FirewallRules: [{B7902BB3-B99F-479A-93F8-D141B74FEE16}] => (Allow) C:\Program Files\Common Files\Acronis\MobileBackupServer\mobile_backup_server.exe (Acronis International GmbH -> Acronis International GmbH)
FirewallRules: [{CE8EB291-8EA2-4CCB-BD23-3A4538B06E48}] => (Allow) C:\Program Files\Acronis\TrueImageHome\mobile_backup_status_server.exe (Acronis International GmbH -> )
FirewallRules: [{AD0F7DD2-6A47-4B4A-8400-393F7FD5F0D0}] => (Allow) C:\Program Files\Acronis\TrueImageHome\ga_service.exe (Acronis International GmbH -> )
FirewallRules: [{502FF050-5B69-47C4-B75A-B0A3E28DC79C}] => (Allow) C:\Program Files\Acronis\TrueImageHome\LicenseActivator.exe (Acronis International GmbH -> )
FirewallRules: [{0245EC2F-47DF-46E4-9F32-E602466F9041}] => (Allow) C:\Program Files\Common Files\Acronis\Home\report_sender.exe (Acronis International GmbH -> )
FirewallRules: [{F4DB42B3-8DD8-4311-BB51-DBF995A38E74}] => (Allow) C:\Program Files\Common Files\Acronis\ActiveProtection\anti_ransomware_service.exe (Acronis International GmbH -> Acronis International GmbH)
FirewallRules: [{822512EF-9F51-4A9C-8347-E00EECE38E5F}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe (Google LLC -> Google LLC)
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service

==================== Restore Points =========================

31-03-2022 17:52:35 Installed StudioTax 2021
08-04-2022 00:18:35 Scheduled Checkpoint

==================== Faulty Device Manager Devices ============


==================== Event log errors: ========================

Application errors:
==================
Error: (04/05/2022 12:33:03 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (04/05/2022 12:29:25 PM) (Source: Spybot Auto Update) (EventID: 0) (User: )
Description: Event-ID 0

Error: (03/31/2022 03:38:06 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: wpwin16.exe, version: 16.0.0.427, time stamp: 0x5091e4ef
Faulting module name: wpwin16.dll, version: 16.0.0.428, time stamp: 0x51029abc
Exception code: 0xc0000005
Fault offset: 0x0041f348
Faulting process id: 0xa59c
Faulting application start time: 0x01d84535704cfa96
Faulting application path: F:\Program Files\Corel\WordPerfect Office X6\Programs\wpwin16.exe
Faulting module path: F:\Program Files\Corel\WordPerfect Office X6\Programs\wpwin16.dll
Report Id: 15d92f83-b12a-11ec-9ae8-74d02b282604

Error: (03/28/2022 01:10:50 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (03/28/2022 12:14:56 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SDOnAccess.exe, version: 2.9.82.16, time stamp: 0x6193b8b2
Faulting module name: KERNELBASE.dll, version: 6.1.7601.24291, time stamp: 0x5be78231
Exception code: 0x0eedfade
Fault offset: 0x0000845d
Faulting process id: 0x1ce08
Faulting application start time: 0x01d842bef6bb7acd
Faulting application path: C:\Program Files\Spybot - Search & Destroy 2\SDOnAccess.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 34f9399e-aeb2-11ec-b7aa-74d02b282604

Error: (03/22/2022 11:15:56 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: wpwin16.exe, version: 16.0.0.427, time stamp: 0x5091e4ef
Faulting module name: wpwin16.dll, version: 16.0.0.428, time stamp: 0x51029abc
Exception code: 0xc0000005
Fault offset: 0x0041f348
Faulting process id: 0x5364
Faulting application start time: 0x01d83e0ad752d7f3
Faulting application path: F:\Program Files\Corel\WordPerfect Office X6\Programs\wpwin16.exe
Faulting module path: F:\Program Files\Corel\WordPerfect Office X6\Programs\wpwin16.dll
Report Id: 8dac7024-aa57-11ec-b7aa-74d02b282604

Error: (03/21/2022 10:20:05 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (03/21/2022 09:53:31 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SDOnAccess.exe, version: 2.9.82.16, time stamp: 0x6193b8b2
Faulting module name: KERNELBASE.dll, version: 6.1.7601.24291, time stamp: 0x5be78231
Exception code: 0x0eedfade
Fault offset: 0x0000845d
Faulting process id: 0x35d0c
Faulting application start time: 0x01d83d2b0c37368e
Faulting application path: C:\Program Files\Spybot - Search & Destroy 2\SDOnAccess.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 4a7756bf-a91e-11ec-adb1-74d02b282604


System errors:
=============
Error: (04/09/2022 01:31:57 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: The server {BB6DF56B-CACE-11DC-9992-0019B93A3A84} did not register with DCOM within the required timeout.

Error: (04/07/2022 07:29:01 PM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer AMPED_RE_USB
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{61A2128C-D99C-413E-B4E8-292F8.
The master browser is stopping or an election is being forced.

Error: (04/07/2022 05:55:12 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR10.

Error: (04/07/2022 05:55:11 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR10.

Error: (04/07/2022 05:55:10 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR10.

Error: (04/07/2022 05:55:10 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR10.

Error: (04/07/2022 03:38:32 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR6.

Error: (04/07/2022 12:25:40 AM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer AMPED_RE_USB
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{61A2128C-D99C-413E-B4E8-292F8.
The master browser is stopping or an election is being forced.


==================== Memory info ===========================

BIOS: American Megatrends Inc. 1101 02/06/2013
Motherboard: ASUSTeK COMPUTER INC. P8H77-M
Processor: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz
Percentage of memory in use: 68%
Total physical RAM: 3269.51 MB
Available physical RAM: 1031.39 MB
Total Virtual: 6537.38 MB
Available Virtual: 3238.85 MB

==================== Drives ================================

Drive c: (MWin) (Fixed) (Total:60 GB) (Free:8.6 GB) NTFS
Drive f: (MProgs) (Fixed) (Total:50 GB) (Free:37.08 GB) NTFS
Drive g: (MDataH) (Fixed) (Total:20 GB) (Free:11.02 GB) NTFS
Drive h: (MDataC) (Fixed) (Total:20 GB) (Free:8.12 GB) NTFS
Drive w: (PDataH) (Network) (Total:30 GB) (Free:21.25 GB) NTFS
Drive x: (PDataC) (Network) (Total:30 GB) (Free:22.81 GB) NTFS
Drive y: (PProgs) (Network) (Total:50 GB) (Free:46.57 GB) NTFS
Drive z: (KDataH2) (Network) (Total:492.06 GB) (Free:445.94 GB) NTFS

\\?\Volume{0a4c5e07-32d3-11e3-892a-806e6f6e6963}\ (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (Size: 223.6 GB) (Disk ID: 92C3177A)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=60 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=90 GB) - (Type=05)

==================== End of Addition.txt =======================

FRST.txt
--------
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 05-04-2022
Ran by Chris (administrator) on MOLLY (09-04-2022 13:27:57)
Running from C:\Users\Chris\Desktop
Loaded Profiles: Chris
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) Language: English (United States)
Default browser: FF
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(explorer.exe ->) () [File not signed] C:\Program Files\HP\HP UT\bin\hppusg.exe
(explorer.exe ->) () [File not signed] F:\Program Files\Avanquest\PowerDesk\PDHookServer.exe
(explorer.exe ->) (Acresso Software Inc. -> Acresso Corporation) C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
(explorer.exe ->) (Acronis International GmbH -> ) C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
(explorer.exe ->) (Acronis International GmbH -> ) C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
(explorer.exe ->) (Acronis International GmbH -> Acronis International GmbH) C:\Program Files\Common Files\Acronis\TibMounter\tib_mounter_monitor.exe
(explorer.exe ->) (Avanquest Software) [File not signed] F:\Program Files\Avanquest\PowerDesk\pddlghlp.exe
(explorer.exe ->) (Hewlett-Packard Company -> Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(explorer.exe ->) (Intel Corporation - pGFX -> Intel Corporation) C:\Windows\System32\hkcmd.exe
(explorer.exe ->) (Intel Corporation - pGFX -> Intel Corporation) C:\Windows\System32\igfxpers.exe
(explorer.exe ->) (Ivaylo Beltchev -> IvoSoft) [File not signed] C:\Program Files\Classic Shell\ClassicStartMenu.exe
(explorer.exe ->) (Josh Mayfield -> UltimateOutsider) F:\Program Files\UltimateOutsider\GWX Control Panel\GWX_control_panel.exe
(explorer.exe ->) (Lexmark International, Inc. -> ) F:\Program Files\Lexmark\ErrorApp\lmab1err.exe
(explorer.exe ->) (Nuance Communications, Inc. -> Nuance Communications, Inc.) C:\Program Files\Nuance\PaperPort\pptd40nt.exe
(explorer.exe ->) (Realtek Semiconductor Corp -> Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe
(explorer.exe ->) (Safer-Networking Limited -> Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(F:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe ->) (Malwarebytes Inc -> Malwarebytes) F:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(services.exe ->) (Acronis International GmbH -> ) C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
(services.exe ->) (Acronis International GmbH -> ) C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
(services.exe ->) (Acronis International GmbH -> ) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
(services.exe ->) (Acronis International GmbH -> Acronis International GmbH) C:\Program Files\Common Files\Acronis\ActiveProtection\anti_ransomware_service.exe
(services.exe ->) (Acronis International GmbH -> Acronis International GmbH) C:\Program Files\Common Files\Acronis\Infrastructure\mms_mini.exe
(services.exe ->) (Apple Inc. -> Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(services.exe ->) (CONDUSIV TECHNOLOGIES -> Condusiv Technologies) C:\Program Files\Condusiv Technologies\Diskeeper\DkService.exe
(services.exe ->) (Dassault Systèmes) [File not signed] C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe
(services.exe ->) (FOXIT SOFTWARE INC. -> Foxit Software Inc.) F:\Program Files\Foxit Software\Foxit Reader\FoxitPDFReaderUpdateService.exe
(services.exe ->) (Intel Corporation -> Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(services.exe ->) (Intel Corporation -> Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(services.exe ->) (Intel Corporation -> Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(services.exe ->) (Intel® Upgrade Service -> Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(services.exe ->) (Malwarebytes Inc -> Malwarebytes) F:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(services.exe ->) (Protexis Inc. -> Protexis Inc.) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(services.exe ->) (Safer-Networking Limited -> Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(services.exe ->) (Safer-Networking Limited -> Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(services.exe ->) (Safer-Networking Ltd. -> Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe [5995152 2012-10-28] (Realtek Semiconductor Corp -> Realtek Semiconductor)
HKLM\...\Run: [IndexSearch] => C:\Program Files\Nuance\PaperPort\IndexSearch.exe [46952 2012-02-01] (Nuance Communications, Inc. -> Nuance Communications, Inc.)
HKLM\...\Run: [PaperPort PTD] => C:\Program Files\Nuance\PaperPort\pptd40nt.exe [30568 2012-02-01] (Nuance Communications, Inc. -> Nuance Communications, Inc.)
HKLM\...\Run: [QuickFinder Scheduler] => f:\Program Files\Corel\WordPerfect Office X6\Programs\QFSCHD160.EXE [155592 2012-10-31] (Corel Corporation -> Corel Corporation)
HKLM\...\Run: [HPUsageTracking] => "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT" (No File)
HKLM\...\Run: [HP Software Update] => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard Company -> Hewlett-Packard)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [150208 2014-04-20] (Ivaylo Beltchev -> IvoSoft) [File not signed]
HKLM\...\Run: [GwxControlPanelMonitor] => F:\Program Files\UltimateOutsider\GWX Control Panel\GWX_control_panel.exe [4596296 2016-04-02] (Josh Mayfield -> UltimateOutsider)
HKLM\...\Run: [TrueImageMonitor.exe] => C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [4992504 2022-01-12] (Acronis International GmbH -> )
HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [752168 2019-03-25] (Acronis International GmbH -> )
HKLM\...\Run: [AcronisTibMounterMonitor] => C:\Program Files\Common Files\Acronis\TibMounter\tib_mounter_monitor.exe [441448 2019-03-25] (Acronis International GmbH -> Acronis International GmbH)
HKLM\...\Run: [SDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [5204968 2021-11-16] (Safer-Networking Limited -> Safer-Networking Ltd.)
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [PDHookServer] => F:\Program Files\Avanquest\PowerDesk\PDHookServer.exe [60416 2012-12-14] () [File not signed]
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Software Inc. -> Acresso Corporation)
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [LMab1err] => F:\Program Files\Lexmark\ErrorApp\lmab1err.exe [645296 2012-08-07] (Lexmark International, Inc. -> )
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => "C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe" (No File)
HKU\S-1-5-18\...\Run: [SpybotPostWindows10UpgradeReInstall] => "C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe" (No File)
HKLM\...\Windows NT x86\Print Processors\HP1100PrintProc: C:\Windows\System32\spool\prtprocs\W32X86\HP1100PP.DLL [69632 2012-08-31] () [File not signed]
HKLM\...\Windows NT x86\Print Processors\HPZPP4wm: C:\Windows\System32\spool\prtprocs\W32X86\hpzpp4wm.DLL [286208 2007-01-25] (Hewlett-Packard Corporation) [File not signed]
HKLM\...\Windows NT x86\Print Processors\hpzpplhn: C:\Windows\System32\spool\prtprocs\W32X86\hpzpplhn.dll [89600 2007-05-23] (Hewlett-Packard Corporation) [File not signed]
HKLM\...\Windows NT x86\Print Processors\hpzppwn7: C:\Windows\System32\spool\prtprocs\W32X86\hpzppwn7.dll [90624 2009-07-13] (Microsoft Windows -> Hewlett-Packard Corporation)
HKLM\...\Windows NT x86\Print Processors\LMADXN4C: C:\Windows\System32\spool\prtprocs\W32X86\LMADXN4C.DLL [212480 2014-06-04] (Lexmark International Inc.) [File not signed]
HKLM\...\Print\Monitors\Advanced TCP/IP Port Monitor: C:\Windows\system32\mvtcpmon.dll [376832 2009-06-25] (Marvell Semiconductor, Inc.) [File not signed]
HKLM\...\Print\Monitors\CutePDF Writer Monitor: C:\Windows\system32\cpwmon2k.dll [89136 2013-10-23] (Acro Software Inc. -> )
HKLM\...\Print\Monitors\HP DriverMon LJ3390: C:\Windows\system32\hppaecpm.dll [77824 2007-03-09] (Hewlett-Packard) [File not signed]
HKLM\...\Print\Monitors\HP Standard TCP/IP Port: C:\Windows\system32\HpTcpMon.dll [172032 2007-01-15] (Hewlett Packard) [File not signed]
HKLM\...\Print\Monitors\HP1100LM: HP1100LM.DLL
HKLM\...\Print\Monitors\LM_LMADXN: C:\Windows\system32\LMADXNLANG.DLL [1126400 2014-06-04] () [File not signed]
HKLM\...\Print\Monitors\PCL hpz3llhn: C:\Windows\system32\hpz3llhn.dll [30720 2007-05-23] (Hewlett-Packard Company) [File not signed]
HKLM\...\Print\Monitors\PCL hpz3lwn7: C:\Windows\system32\hpz3lwn7.dll [30720 2009-07-13] (Microsoft Windows -> Hewlett-Packard Company)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{2D46B6DC-2207-486B-B523-A557E6D54B47}] -> C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
HKLM\Software\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files\Google\Chrome\Application\100.0.4896.75\Installer\chrmstp.exe [2022-04-07] (Google LLC -> Google LLC)
AppInit_DLLs: C:\Windows\system32\FileMonitor32.dll => C:\Windows\system32\FileMonitor32.dll [107520 2012-12-14] () [File not signed]
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk [2016-10-11]
ShortcutTarget: Microsoft Find Fast.lnk -> F:\Program Files\Microsoft Office\Office\FINDFAST.EXE () [File not signed]
Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dialog Helper.lnk [2013-10-25]
ShortcutTarget: Dialog Helper.lnk -> F:\Program Files\Avanquest\PowerDesk\pddlghlp.exe (Avanquest Software) [File not signed]
BootExecute: autocheck autochk * sdnclean.exe
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0B6E885F-D349-4707-90FB-E92D8FE6010E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [144200 2015-08-30] (Google Inc -> Google Inc.)
Task: {1D6AB74A-A772-4B8E-B4D2-A97C1042D171} - System32\Tasks\Microsoft\Windows\Time Synchronization\C Sync Time => Command(1): %windir%\system32\sc.exe -> start w32time task_started
Task: {1D6AB74A-A772-4B8E-B4D2-A97C1042D171} - System32\Tasks\Microsoft\Windows\Time Synchronization\C Sync Time => Command(2): %windir%\system32\w32tm.exe -> /resync /nowait
Task: {2CE6DDEA-14B8-4C58-98C4-178BDA741566} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe [5629064 2021-11-23] (Safer-Networking Limited -> Safer-Networking Ltd.)
Task: {2F14BB0A-70F8-47D2-9BAB-2C333EC54B2B} - System32\Tasks\My Alarm\My Alarm005 => F:\Program Files\AutoIt3\Beta\AutoIt3.exe [943784 2020-05-16] (AutoIt Consulting Ltd -> AutoIt Team) -> "F:\AutoIt scripts\MyAlarm.au3" "Make Make Subs DL Web Page, Upload, and Email notice (week) 102d1.wcm production version" "~ty dt" "~ed 2022-04-25" "/st 13:17" "/tn My Alarm\My Alarm005"
Task: {2F9EC57E-F920-4EF6-88F4-CA3DACFEAD02} - System32\Tasks\Intel_F_CVCV3191005V240FGN => C:\Program Files\Intel\Intel(R) SSD Toolbox\Intel SSD Toolbox.exe [1508096 2017-05-23] (Intel(R) Corporation - NAND Flash Memory -> Intel)
Task: {49307A00-9295-4C6C-9C8E-A622A9D87B2B} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe [5363552 2021-11-16] (Safer-Networking Limited -> Safer-Networking Ltd.)
Task: {5DD4AF47-439D-426D-B8D4-7BA020FCE5C9} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473-Logon => C:\Program Files\Intel\Intel(R) Update Manager\bin\iumsvc.exe [177376 2016-08-12] (Intel(R) Update Manager -> Intel Corporation)
Task: {67A38BA1-9134-4157-A326-47AA7F4059D3} - System32\Tasks\{850D6D04-DD46-49C0-9A3B-4CD1B86ADB2D} => C:\Windows\system32\pcalua.exe -a "H:\DL\Irfanview 4_54\iview454_setup.exe" -d "H:\DL\Irfanview 4_54"
Task: {6D3D40F5-BD27-4434-9345-58EF95E4CFD1} - System32\Tasks\Safer-Networking\Spybot Anti-Beacon\Refresh Anti-Beacon immunization => C:\Program Files\Safer-Networking Ltd\Spybot Anti-Beacon\Spybot3AntiBeacon.exe [8790696 2019-12-18] (Safer-Networking Ltd. -> )
Task: {71E34AD2-0884-4D08-B0A3-0E3B594D9A40} - System32\Tasks\Intel_C_CVCV3191005V240FGN => C:\Program Files\Intel\Intel(R) SSD Toolbox\Intel SSD Toolbox.exe [1508096 2017-05-23] (Intel(R) Corporation - NAND Flash Memory -> Intel)
Task: {810AF7D6-8EBC-49C1-90CB-31AADAAE7FFB} - System32\Tasks\My Alarm\My Alarm001 => F:\Program Files\AutoIt3\Beta\AutoIt3.exe [943784 2020-05-16] (AutoIt Consulting Ltd -> AutoIt Team) -> "F:\AutoIt scripts\MyAlarm.au3" "Pay Hudson Hardware" "~ty bt" "~bm 4" "~dk calendar" "/st 11:00" "~am 0" "/tn My Alarm\My Alarm001"
Task: {85C317C4-0E0A-4C2D-8A94-8A096F45988C} - System32\Tasks\Intel_H_CVCV3191005V240FGN => C:\Program Files\Intel\Intel(R) SSD Toolbox\Intel SSD Toolbox.exe [1508096 2017-05-23] (Intel(R) Corporation - NAND Flash Memory -> Intel)
Task: {8A7E0DA5-90E9-4113-B4EC-1FCD3E04E8D2} - System32\Tasks\My Alarm\My Alarm002 => F:\Program Files\AutoIt3\Beta\AutoIt3.exe [943784 2020-05-16] (AutoIt Consulting Ltd -> AutoIt Team) -> "F:\AutoIt scripts\MyAlarm.au3" "Send Comments" "~ty wt" "/d Tue" "/st 20:00" "~am 0" "/tn My Alarm\My Alarm002"
Task: {AB61584E-29DA-49C8-89AF-FAD6469B4560} - System32\Tasks\{2B37C955-537D-4B6E-833E-52C603FFA80B} => C:\Windows\system32\pcalua.exe -a "H:\DL\Irfanview 4_54\iview454a_plugins_setup.exe" -d "H:\DL\Irfanview 4_54"
Task: {B4A21C92-41B5-4627-B5AB-91DFA73BAA16} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [144200 2015-08-30] (Google Inc -> Google Inc.)
Task: {BD222059-A389-45E4-A0C3-B99EC876BD92} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files\Intel\Intel(R) Update Manager\bin\iumsvc.exe [177376 2016-08-12] (Intel(R) Update Manager -> Intel Corporation)
Task: {BFC5DF99-3D59-4D1C-A40A-0632B292EAA6} - System32\Tasks\{82065A16-7231-4FA4-86D6-75CC5D970F17} => C:\QV2\QV2.EXE [383520 1992-11-06] () [File not signed]
Task: {C388E02D-C331-4983-8D65-0B46CF5AD7EB} - System32\Tasks\Intel_G_CVCV3191005V240FGN => C:\Program Files\Intel\Intel(R) SSD Toolbox\Intel SSD Toolbox.exe [1508096 2017-05-23] (Intel(R) Corporation - NAND Flash Memory -> Intel)
Task: {CE666DA6-5038-47DD-88B2-138B7D9D635C} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe [6093928 2021-12-20] (Safer-Networking Limited -> Safer-Networking Ltd.)
Task: {D44B75A7-4A96-4FC9-9E5E-A9DFCDA6B8C5} - System32\Tasks\{03AF8397-0B59-4BDC-9C2F-C6D0D41103F9} => C:\Windows\system32\pcalua.exe -a "F:\Program Files\Avanquest\PowerDesk\PDExploNXP.exe"
Task: {E2379398-F40A-492B-955B-CA5F183278F3} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan most recently used file in the background => C:\Program Files\Spybot - Search & Destroy 2\SDOnAccess.exe [5886744 2021-11-16] (Safer-Networking Limited -> Safer-Networking Ltd.)
Task: {E24E5581-902C-4661-ABBB-4834EB96726D} - System32\Tasks\_My Alarm => "F:\AutoIt scripts\MyAlarm.au3" [Argument = showMissedAtLogin]
Task: {E3A63D79-6E85-4A58-8519-408AA043BA8A} - System32\Tasks\My Alarm\My Alarm003 => F:\Program Files\AutoIt3\Beta\AutoIt3.exe [943784 2020-05-16] (AutoIt Consulting Ltd -> AutoIt Team) -> "F:\AutoIt scripts\MyAlarm.au3" "Make Make Comments web pages SSI 101d1.wcm production version" "~ty dt" "~ed 2022-04-24" "/st 14:29" "/tn My Alarm\My Alarm003"
Task: {F3BF17EF-B561-4E61-9EB1-C3138185B10F} - System32\Tasks\Tweaking.com - Registry Backup => C:\Program Files\Tweaking.com\Registry Backup\TweakingRegistryBackup.exe /silent (No File)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyServer: [S-1-5-21-4166634823-2150066620-1418166359-1000] => localhost:8080
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-31] (Apple Inc. -> Apple Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{61A2128C-D99C-413E-B4E8-292F8A12B08D}: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF DefaultProfile: fh8ss4av.default-1472575210563-1504725635353
FF ProfilePath: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\5o4091bm.default-release [2022-04-07]
FF ProfilePath: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\fh8ss4av.default-1472575210563-1504725635353 [2022-04-09]
FF Notifications: Mozilla\Firefox\Profiles\fh8ss4av.default-1472575210563-1504725635353 -> hxxps://www.autoitscript.com
FF Extension: (Adblock Plus - free ad blocker) - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\fh8ss4av.default-1472575210563-1504725635353\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2021-11-24]
FF HKLM\...\Firefox\Extensions: [quickprint@hp.com] - C:\Program Files\Hewlett-Packard\SmartPrint\QPExtension
FF Extension: (SmartPrintButton) - C:\Program Files\Hewlett-Packard\SmartPrint\QPExtension [2011-01-26] [Legacy] [not signed]
FF Plugin: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.cpdf -> C:\Program Files\Foxit Software\Foxit PDF Editor\plugins\npFoxitPhantomPDFPlugin.dll [No File]
FF Plugin: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp -> C:\Program Files\Foxit Software\Foxit PDF Editor\plugins\npFoxitPhantomPDFPlugin.dll [No File]
FF Plugin: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files\Foxit Software\Foxit PDF Editor\plugins\npFoxitPhantomPDFPlugin.dll [No File]
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitPDFReaderPlugin.dll [2022-01-21] (FOXIT SOFTWARE INC. -> Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.cpdf -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitPDFReaderPlugin.dll [2022-01-21] (FOXIT SOFTWARE INC. -> Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitPDFReaderPlugin.dll [2022-01-21] (FOXIT SOFTWARE INC. -> Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitPDFReaderPlugin.dll [2022-01-21] (FOXIT SOFTWARE INC. -> Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitPDFReaderPlugin.dll [2022-01-21] (FOXIT SOFTWARE INC. -> Foxit Corporation)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel® Identity Protection Technology Software -> Intel Corporation)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel® Identity Protection Technology Software -> Intel Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
StartMenuInternet: FIREFOX.EXE - F:\Program Files\Mozilla Firefox\firefox.exe

Chrome:
=======
CHR Profile: C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default [2022-04-07]
CHR Extension: (Slides) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2019-08-30]
CHR Extension: (Docs) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2019-08-30]
CHR Extension: (Google Drive) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2021-02-21]
CHR Extension: (YouTube) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2019-08-30]
CHR Extension: (Sheets) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2019-08-30]
CHR Extension: (Google Docs Offline) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2022-04-07]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2021-02-21]
CHR Extension: (Gmail) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2021-02-25]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AcronisActiveProtectionService; C:\Program Files\Common Files\Acronis\ActiveProtection\anti_ransomware_service.exe [4387696 2022-01-12] (Acronis International GmbH -> Acronis International GmbH)
R2 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [1155344 2019-03-25] (Acronis International GmbH -> )
R2 afcdpsrv; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [6341824 2022-02-13] (Acronis International GmbH -> )
S3 cphs; C:\Windows\system32\IntelCpHeciSvc.exe [277616 2012-12-14] (Intel Corporation - pGFX -> Intel Corporation)
R2 Diskeeper; C:\Program Files\Condusiv Technologies\Diskeeper\DkService.exe [2461408 2016-11-09] (CONDUSIV TECHNOLOGIES -> Condusiv Technologies)
R2 DraftSight API Service; C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe [95232 2015-01-14] (Dassault Systèmes) [File not signed]
S3 FlexNet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FlexNet Publisher\FNPLicensingService.exe [1074480 2015-03-01] (Flexera Software LLC -> Flexera Software LLC)
R2 FoxitReaderUpdateService; F:\Program Files\Foxit Software\Foxit Reader\FoxitPDFReaderUpdateService.exe [2359424 2022-01-21] (FOXIT SOFTWARE INC. -> Foxit Software Inc.)
S3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [225280 2007-01-02] (Hewlett-Packard Co.) [File not signed]
R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [462048 2012-04-20] (Intel® Upgrade Service -> Intel(R) Corporation)
S3 iumsvc; C:\Program Files\Intel\Intel(R) Update Manager\bin\iumsvc.exe [177376 2016-08-12] (Intel(R) Update Manager -> Intel Corporation)
R2 jhi_service; C:\Program Files\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation -> Intel Corporation)
R2 MBAMService; F:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [5959136 2022-03-05] (Malwarebytes Inc -> Malwarebytes)
R2 mmsminisrv; C:\Program Files\Common Files\Acronis\Infrastructure\mms_mini.exe [4882992 2022-01-12] (Acronis International GmbH -> Acronis International GmbH)
S3 mobile_backup_server; C:\Program Files\Common Files\Acronis\MobileBackupServer\mobile_backup_server.exe [3004128 2019-03-25] (Acronis International GmbH -> Acronis International GmbH)
S3 mobile_backup_status_server; C:\Program Files\Acronis\TrueImageHome\mobile_backup_status_server.exe [1782696 2022-01-12] (Acronis International GmbH -> )
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
R2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [2782080 2021-11-16] (Safer-Networking Limited -> Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [4605312 2021-11-16] (Safer-Networking Limited -> Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [940976 2019-09-04] (Safer-Networking Ltd. -> Safer-Networking Ltd.)
R2 syncagentsrv; C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe [7184848 2022-01-12] (Acronis International GmbH -> )
S3 Tib Mounter Service; C:\Program Files\Common Files\Acronis\TibMounter\tib_mounter_service.exe [6057488 2019-03-25] (Acronis International GmbH -> Acronis International GmbH)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Windows -> Microsoft Corporation)

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 DKDFM; C:\Windows\System32\drivers\DKDFM.sys [35600 2013-05-06] (CONDUSIV TECHNOLOGIES -> Condusiv Technologies)
R3 DKRtWrt; C:\Windows\system32\drivers\DKRtWrt.sys [42136 2016-01-28] (CONDUSIV TECHNOLOGIES -> Condusiv Technologies)
R0 DKTLFSMF; C:\Windows\System32\drivers\DKTLFSMF.sys [94448 2014-04-14] (CONDUSIV TECHNOLOGIES -> Condusiv Technologies)
R3 Dot4Scan; C:\Windows\System32\DRIVERS\Dot4Scan.sys [10752 2009-07-13] (Microsoft Windows -> Microsoft Corporation)
R2 file_protector; C:\Windows\System32\DRIVERS\file_protector.sys [494600 2022-02-13] (Acronis International GmbH -> Acronis International GmbH)
R0 file_tracker; C:\Windows\System32\DRIVERS\file_tracker.sys [291264 2022-02-13] (ACRONIS INTERNATIONAL GMBH -> Acronis International GmbH)
R3 HPFXBULK; C:\Windows\System32\drivers\hpfxbulk.sys [9344 2006-04-04] (Hewlett Packard) [File not signed]
R0 iusb3hcs; C:\Windows\System32\DRIVERS\iusb3hcs.sys [15680 2012-05-20] (Intel Corporation -> Intel Corporation)
R3 iusb3hub; C:\Windows\System32\DRIVERS\iusb3hub.sys [350016 2012-05-20] (Intel Corporation -> Intel Corporation)
R3 iusb3xhc; C:\Windows\System32\DRIVERS\iusb3xhc.sys [793920 2012-05-20] (Intel Corporation -> Intel Corporation)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [184200 2022-04-05] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [213936 2022-03-05] (Malwarebytes Inc -> Malwarebytes)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [55104 2012-07-02] (Intel Corporation -> Intel Corporation)
R1 SDHookDriver; C:\Program Files\Spybot - Search & Destroy 2\SDHookDrv32.sys [74328 2018-03-19] (Safer-Networking Ltd. -> Safer-Networking Ltd.)
R1 tcefs; C:\Windows\system32\drivers\tcefs.sys [22680 2015-08-18] (CONDUSIV TECHNOLOGIES -> Condusiv Technologies Corporation)
R0 tcesd; C:\Windows\System32\drivers\tcesd.sys [200944 2016-07-19] (CONDUSIV TECHNOLOGIES -> Condusiv Technologies Corporation)
S3 tib; C:\Windows\System32\DRIVERS\tib.sys [541816 2022-02-13] (Acronis International GmbH -> Acronis International GmbH)
R2 tib_mounter; C:\Windows\System32\DRIVERS\tib_mounter.sys [131016 2022-02-13] (Acronis International GmbH -> Acronis International GmbH)
S3 tnd; C:\Windows\System32\DRIVERS\tnd.sys [472584 2022-02-13] (Acronis International GmbH -> Acronis International GmbH)
R2 virtual_file; C:\Windows\System32\DRIVERS\virtual_file.sys [251088 2022-02-13] (ACRONIS INTERNATIONAL GMBH -> Acronis International GmbH)
R0 volume_tracker; C:\Windows\System32\DRIVERS\volume_tracker.sys [176912 2022-02-13] (ACRONIS INTERNATIONAL GMBH -> Acronis International GmbH)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2022-04-09 13:27 - 2022-04-09 13:28 - 000029158 _____ C:\Users\Chris\Desktop\FRST.txt
2022-04-09 13:27 - 2022-04-09 13:28 - 000000000 ____D C:\FRST
2022-04-09 13:27 - 2022-04-09 13:27 - 000000000 ____D C:\Users\Chris\Desktop\FRST-OlderVersion
2022-04-07 12:30 - 2022-04-05 17:51 - 000454336 _____ C:\Windows\system32\Drivers\etc\hosts.20220407-123014.backup
2022-04-03 21:50 - 2022-04-03 21:50 - 006490743 _____ C:\Users\Chris\Downloads\27UD68_ENG_US.pdf
2022-03-31 22:47 - 2022-03-31 22:47 - 000829923 _____ C:\Users\Chris\Downloads\CanadaHelps8564927.pdf
2022-03-31 17:52 - 2022-03-31 17:52 - 000002115 _____ C:\Users\Public\Desktop\StudioTax 2021.lnk
2022-03-31 15:57 - 2022-03-31 15:57 - 000001654 _____ C:\Users\Chris\Desktop\StudioTax 2021.lnk
2022-03-31 15:56 - 2022-03-31 17:52 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StudioTax 2021
2022-03-31 12:30 - 2022-03-30 19:09 - 000454336 _____ C:\Windows\system32\Drivers\etc\hosts.20220331-123013.backup
2022-03-29 13:59 - 2022-04-09 13:27 - 002070528 _____ (Farbar) C:\Users\Chris\Desktop\FRST.exe
2022-03-24 12:30 - 2022-03-22 12:34 - 000454336 _____ C:\Windows\system32\Drivers\etc\hosts.20220324-123013.backup
2022-03-15 21:18 - 2022-03-15 21:18 - 012080232 _____ (Tim Kosse) C:\Users\Chris\Downloads\FileZilla_3.58.0_win32-setup.exe

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2022-04-09 13:23 - 2013-10-11 22:28 - 000000000 ____D C:\Program Files\Google
2022-04-09 12:07 - 2016-11-19 23:31 - 000000000 ____D C:\Users\Chris\AppData\LocalLow\Mozilla
2022-04-09 09:47 - 2022-02-11 12:12 - 000000000 ____D C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38
2022-04-08 21:53 - 2013-11-25 10:56 - 000000000 ____D C:\Users\Chris\AppData\Roaming\ClassicShell
2022-04-08 12:25 - 2010-11-20 17:01 - 000795074 _____ C:\Windows\system32\PerfStringBackup.INI
2022-04-08 12:25 - 2009-07-13 22:37 - 000000000 ____D C:\Windows\inf
2022-04-07 17:45 - 2013-11-17 23:41 - 000000000 ____D C:\Users\Chris\Documents\My Scans
2022-04-07 01:26 - 2019-08-30 00:11 - 000002174 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2022-04-07 01:26 - 2019-08-30 00:11 - 000002133 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2022-04-05 20:31 - 2017-01-08 18:48 - 000000000 ____D C:\Windows\system32\Tasks\My Alarm
2022-04-05 18:14 - 2009-07-14 00:52 - 000000000 ____D C:\Windows\system32\FxsTmp
2022-04-05 17:53 - 2013-10-24 14:36 - 000000000 ____D C:\Program Files\Mozilla Maintenance Service
2022-04-05 17:52 - 2019-11-13 17:24 - 000000000 ____D C:\Users\Chris\AppData\Roaming\FileZilla
2022-04-05 17:51 - 2014-05-20 09:40 - 000000000 ____D C:\Program Files\Spybot - Search & Destroy 2
2022-04-05 17:51 - 1997-07-11 00:00 - 000021476 ____H C:\Windows\system32\FFASTLOG.TXT
2022-04-05 17:40 - 2013-11-03 15:00 - 000000000 ____D C:\Users\Chris\AppData\Local\CutePDF Writer
2022-04-05 12:40 - 2009-07-14 00:34 - 000032096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2022-04-05 12:40 - 2009-07-14 00:34 - 000032096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2022-04-05 12:33 - 2022-03-05 21:37 - 000184200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2022-04-05 12:32 - 2009-07-14 00:53 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2022-03-31 17:52 - 2021-04-03 18:10 - 000000000 ____D C:\Program Files\BHOK IT Consulting Inc
2022-03-31 16:05 - 2021-03-29 19:12 - 000000000 ____D C:\ProgramData\BHOK IT Consulting Inc
2022-03-31 16:00 - 2018-04-09 11:48 - 000000000 __SHD C:\ProgramData\ST
2022-03-31 16:00 - 2014-03-31 18:28 - 000000000 ____D C:\Users\Chris\AppData\Roaming\BHOK
2022-03-31 15:55 - 2021-03-01 18:50 - 000000000 ____D C:\Users\Chris\AppData\Roaming\BHOK IT Consulting Inc
2022-03-31 15:38 - 2013-10-22 18:58 - 000000000 ____D C:\Users\Chris\AppData\Local\CrashDumps
2022-03-30 19:55 - 2016-09-01 15:17 - 000000000 ____D C:\ProgramData\Malwarebytes
2022-03-25 13:05 - 2019-11-13 17:24 - 000000951 _____ C:\Users\Public\Desktop\FileZilla Client.lnk
2022-03-25 13:05 - 2019-11-13 17:24 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client

==================== Files in the root of some directories ========

2015-08-01 10:23 - 2018-10-31 12:47 - 000000240 _____ () C:\Users\Chris\AppData\Roaming\StringRegExpGUIPattern.dat
2013-11-17 23:27 - 2013-11-17 23:27 - 000000093 _____ () C:\Users\Chris\AppData\Local\fusioncache.dat
2013-10-23 09:20 - 2021-02-02 19:47 - 000007606 _____ () C:\Users\Chris\AppData\Local\resmon.resmoncfg

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)


LastRegBack: 2022-04-07 00:54
==================== End of FRST.txt ========================

Juliet
2022-04-10, 17:32
Really didn't see much but we can tidy up and see if anything improves from doing that.

Start Farbar Recovery Scan Tool with Administrator privileges
(Right click on the FRST icon and select Run as administrator, just open it and let it wait)

highlight on the text below and select Copy.
beginning with Start:: and finishing with End::
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Start::
CloseProcesses:
CreateRestorePoint:
ContextMenuHandlers1: [ANotepad++] -> {00F3C2EC-A6EE-11DE-A03A-EF8F55D89593} => F:\Program Files\Notepad++\NppShell_05.dll -> No File
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\.DEFAULT -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
FirewallRules: [{EBDDD846-801E-48AE-B509-66D8B92650F6}] => (Allow) C:\LJP1100_P1560_P1600_Full_Solution\ProductInst.exe => No File
FirewallRules: [{26FC5F17-CF91-4358-AF93-570262B89E2C}] => (Allow) C:\LJP1100_P1560_P1600_Full_Solution\ProductInst.exe => No File
FirewallRules: [{7BEE059F-1A46-4951-8C0A-0E413FA3197F}] => (Allow) D:\Install\x86\InstallGui.exe => No File
FirewallRules: [{4BEC2007-033C-40F2-8E04-EE7D8EF563F3}] => (Allow) D:\Install\x86\InstallGui.exe => No File
FirewallRules: [TCP Query User{61A06813-CFFF-41C9-A39B-1F9083BC30C1}H:\comments\utilities\cutftp32.exe] => (Allow) H:\comments\utilities\cutftp32.exe => No File
FirewallRules: [UDP Query User{3C1D61AD-6C50-49F8-8116-4FCB9C51652D}H:\comments\utilities\cutftp32.exe] => (Allow) H:\comments\utilities\cutftp32.exe => No File
FirewallRules: [{3376F186-3350-4145-A787-3AA98DF4E075}] => (Allow) C:\Users\Chris\AppData\Roaming\Zoom\bin\Zoom.exe => No File
FirewallRules: [{045173D7-99E6-436E-8F0A-037BBD9D11C4}] => (Allow) C:\Users\Chris\AppData\Roaming\Zoom\bin\airhost.exe => No File
HKLM\...\Run: [HPUsageTracking] => "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT" (No File)
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {F3BF17EF-B561-4E61-9EB1-C3138185B10F} - System32\Tasks\Tweaking.com - Registry Backup => C:\Program Files\Tweaking.com\Registry Backup\TweakingRegistryBackup.exe /silent (No File)
FF Plugin: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.cpdf -> C:\Program Files\Foxit Software\Foxit PDF Editor\plugins\npFoxitPhantomPDFPlugin.dll [No File]
FF Plugin: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp -> C:\Program Files\Foxit Software\Foxit PDF Editor\plugins\npFoxitPhantomPDFPlugin.dll [No File]
FF Plugin: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files\Foxit Software\Foxit PDF Editor\plugins\npFoxitPhantomPDFPlugin.dll [No File]
Hosts:
CMD: netsh int ip reset
CMD: ipconfig /flushDNS
EmptyTemp:
C:\Windows\Temp\*.*
End::

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Start FRST (FRST64) with Administrator privileges
Press the Fix button. FRST will process the lines copied above from the clipboard.
When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download Emsisoft Emergency Kit (https://www.bleepingcomputer.com/download/emsisoft-emergency-kit/) and save it to your desktop.

Double-click on EmsisoftEmergencyKit.exe to install and create a shortcut on the desktop.
Leave all settings as they are and click Accept & Extract. A folder named EEK will be created in the root of the drive (usually C:\) as shown here (http://deeprybka.trojaner-board.de/bausteine/emsisoft/1.png).
After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.


When asked to run an online update, click Yes.


When the update is finished, click the Back to Security Status link in the left corner.
On the main screen click the Scan PC button.
Select Smart Scan, then click the Scan button.
When the scan is finished, click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.

Click the View Report button and in the Reports window double-click on the most recent log. Logs are named as follows: a2scan_Date-Time.txt (YYMODY) and saved to C:\EEK\bin\Reports\.
Alternatively you can click Export and save the log to your Desktop, then open by double-clicking on it.
Copy and paste the contents of that logfile in your next reply.

Chris Haslam
2022-04-10, 22:38
Really didn't see much but we can tidy up and see if anything improves from doing that.


This PC is working well, so I ask whether doing what you suggest could make it run less well.

Juliet
2022-04-11, 16:01
This PC is working well, so I ask whether doing what you suggest could make it run less well.

It was a tidy up of empty files and a couple of policy restrictions, would not hurt but you don't have to do it if you rather not.

The online scan would check for remnants of items that could be left behind from removing suspicious entries.

It's up to you.

Chris Haslam
2022-04-13, 21:55
Step 1 (of 2) done

fixlog.txt
--------
Fix result of Farbar Recovery Scan Tool (x86) Version: 13-04-2022 01
Ran by Chris (13-04-2022 14:12:14) Run:1
Running from C:\Users\Chris\Desktop
Loaded Profiles: Chris
Boot Mode: Normal

==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:
ContextMenuHandlers1: [ANotepad++] -> {00F3C2EC-A6EE-11DE-A03A-EF8F55D89593} => F:\Program Files\Notepad++\NppShell_05.dll -> No File
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\.DEFAULT -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
FirewallRules: [{EBDDD846-801E-48AE-B509-66D8B92650F6}] => (Allow) C:\LJP1100_P1560_P1600_Full_Solution\ProductInst.exe => No File
FirewallRules: [{26FC5F17-CF91-4358-AF93-570262B89E2C}] => (Allow) C:\LJP1100_P1560_P1600_Full_Solution\ProductInst.exe => No File
FirewallRules: [{7BEE059F-1A46-4951-8C0A-0E413FA3197F}] => (Allow) D:\Install\x86\InstallGui.exe => No File
FirewallRules: [{4BEC2007-033C-40F2-8E04-EE7D8EF563F3}] => (Allow) D:\Install\x86\InstallGui.exe => No File
FirewallRules: [TCP Query User{61A06813-CFFF-41C9-A39B-1F9083BC30C1}H:\comments\utilities\cutftp32.exe] => (Allow) H:\comments\utilities\cutftp32.exe => No File
FirewallRules: [UDP Query User{3C1D61AD-6C50-49F8-8116-4FCB9C51652D}H:\comments\utilities\cutftp32.exe] => (Allow) H:\comments\utilities\cutftp32.exe => No File
FirewallRules: [{3376F186-3350-4145-A787-3AA98DF4E075}] => (Allow) C:\Users\Chris\AppData\Roaming\Zoom\bin\Zoom.exe => No File
FirewallRules: [{045173D7-99E6-436E-8F0A-037BBD9D11C4}] => (Allow) C:\Users\Chris\AppData\Roaming\Zoom\bin\airhost.exe => No File
HKLM\...\Run: [HPUsageTracking] => "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT" (No File)
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {F3BF17EF-B561-4E61-9EB1-C3138185B10F} - System32\Tasks\Tweaking.com - Registry Backup => C:\Program Files\Tweaking.com\Registry Backup\TweakingRegistryBackup.exe /silent (No File)
FF Plugin: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.cpdf -> C:\Program Files\Foxit Software\Foxit PDF Editor\plugins\npFoxitPhantomPDFPlugin.dll [No File]
FF Plugin: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp -> C:\Program Files\Foxit Software\Foxit PDF Editor\plugins\npFoxitPhantomPDFPlugin.dll [No File]
FF Plugin: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files\Foxit Software\Foxit PDF Editor\plugins\npFoxitPhantomPDFPlugin.dll [No File]
Hosts:
CMD: netsh int ip reset
CMD: ipconfig /flushDNS
EmptyTemp:
C:\Windows\Temp\*.*

*****************

Processes closed successfully.
Restore point was successfully created.
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\ANotepad++ => removed successfully.
HKLM\Software\Classes\CLSID\{00F3C2EC-A6EE-11DE-A03A-EF8F55D89593} => removed successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157" => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\"Default_Page_URL"="http://go.microsoft.com/fwlink/?LinkId=69157" => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\"Default_Search_URL"="http://go.microsoft.com/fwlink/?LinkId=54896" => value restored successfully
"HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page" => removed successfully.
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Microsoft\Internet Explorer\Main\"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157" => value restored successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removed successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => removed successfully.
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{EBDDD846-801E-48AE-B509-66D8B92650F6}" => removed successfully.
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{26FC5F17-CF91-4358-AF93-570262B89E2C}" => removed successfully.
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7BEE059F-1A46-4951-8C0A-0E413FA3197F}" => removed successfully.
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4BEC2007-033C-40F2-8E04-EE7D8EF563F3}" => removed successfully.
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{61A06813-CFFF-41C9-A39B-1F9083BC30C1}H:\comments\utilities\cutftp32.exe" => removed successfully.
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{3C1D61AD-6C50-49F8-8116-4FCB9C51652D}H:\comments\utilities\cutftp32.exe" => removed successfully.
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3376F186-3350-4145-A787-3AA98DF4E075}" => removed successfully.
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{045173D7-99E6-436E-8F0A-037BBD9D11C4}" => removed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\HPUsageTracking" => removed successfully.
C:\ProgramData\NTUSER.pol => moved successfully
HKLM\SOFTWARE\Policies\Mozilla => removed successfully.
HKLM\SOFTWARE\Policies\Google => removed successfully.
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\SOFTWARE\Policies\Google => removed successfully.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F3BF17EF-B561-4E61-9EB1-C3138185B10F}" => removed successfully.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F3BF17EF-B561-4E61-9EB1-C3138185B10F}" => removed successfully.
C:\Windows\System32\Tasks\Tweaking.com - Registry Backup => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Tweaking.com - Registry Backup" => removed successfully.
HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.cpdf => removed successfully.
HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp => removed successfully.
HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf => removed successfully.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

========= netsh int ip reset =========

Reseting Interface, OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= ipconfig /flushDNS =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========== "C:\Windows\Temp\*.*" ==========

C:\Windows\Temp\AcronisMMS.log => moved successfully
C:\Windows\Temp\chrome_installer.log => moved successfully
C:\Windows\Temp\fwtsqmfile00.sqm => moved successfully
C:\Windows\Temp\mbamiservice.log => moved successfully
C:\Windows\Temp\MpCmdRun.log => moved successfully
C:\Windows\Temp\TBitDefenderUpdaterThread.log => moved successfully
C:\Windows\Temp\TSpybotUpdaterThread.log => moved successfully

========= End -> "C:\Windows\Temp\*.*" ========


=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 5190380 B
Java, Flash, Steam htmlcache => 19291 B
Windows/system/drivers => 222904 B
Edge => 0 B
Chrome => 37213776 B
Firefox => 295120635 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 41053 B
LocalService => 41181 B
NetworkService => 2468799 B
Chris => 16657337 B

RecycleBin => 0 B
EmptyTemp: => 340.4 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 14:14:13 ====

Juliet
2022-04-14, 00:52
Good deal. looking good so far.
Post the other log when finished.

Chris Haslam
2022-04-14, 19:49
When I tried to download Emsisoft Emergence Kit, Firefox told me
13300

Thoughts?

Juliet
2022-04-15, 16:06
When I tried to download Emsisoft Emergence Kit, Firefox told me
13300

Thoughts?

That is your browser alerting you of a possible download, which is what it's supposed to do, it would had been fine to allow it. but you don't have to use that one we can try a different one.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe



It will start a download of "esetonlinescanner.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.
Go to the saved file, and double click it to get it started.


When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan
Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked View detected results.
Click The blue Save scan log to save the log.
If something was removed and you know it is a false finding, you may click on the blue Restore cleaned files ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for periodic scanning.

Please make sure you attach the log report.

Chris Haslam
2022-04-15, 19:58
I chose to run EEK.

What I got, after downloading, differed substantially from the steps in your instructions.

A folder named C:\EEK was created with Start Emergency Kit Scanner.exe in it.

I double clicked it, and this showed:13301

"Run Directly" did not show.

I accepted to run online update.

I did not see "Back to Security Status, nor did I see "Scan PC".

I am paused at this point, and will leave EEK as it is now.

Please advise.

Juliet
2022-04-15, 22:29
Scan and clean?

I see that a few things have changed.

Chris Haslam
2022-04-15, 23:24
I clicked Scan and Clean

13302

I clicked Malware Scan. After progress bar reached 100%, this showed:

13303

Clicking on View Report did nothing. I did nothing more.

Your guidance, please.

Chris Haslam
2022-04-15, 23:28
Hovering over each of the 2 shows that they are reporting on FRST.exe

Chris Haslam
2022-04-16, 00:21
scan_220415-161119.txt
-----------------------
Emsisoft Emergency Kit - Version 2021.9
Last update: 2022-04-15 12:42:23
My own Molly\Chris
MOLLY
Windows 7x86 Service Pack 1

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: ON
Scan archives: OFF
Scan mail archives: OFF
ADS Scan: ON
Direct disk access: OFF

Scan start: 2022-04-15 16:11:19
C:\Users\Chris\Desktop\FRST-OlderVersion\FRST.exe detected: Trojan.GenericKD.39437243 (B) [krnl.xmd]
C:\Users\Chris\Desktop\FRST.exe detected: Trojan.GenericKD.48872539 (B) [krnl.xmd]

Scanned 75053
Found 2

Scan end: 2022-04-15 16:12:28
Scan time: 0:01:09

Juliet
2022-04-16, 01:05
OK
What was found is actually a false positive and several scanners have found this.
We can remove all folder and quarantine files when finished.,

What's the computer doing now?

Chris Haslam
2022-04-16, 01:32
What's the computer doing now?[/QUOTE]

Still sitting at the Scan Results window

Juliet
2022-04-16, 01:49
If the scan has finished, what was found we will remove.

Unless more is found?

Juliet
2022-04-16, 02:15
I've got to sign off for the evening.
If all that was found related to the Farbar Recovery tool then we're in good shape.

Let me know if your ready to remove tools and quarantine folders.

Chris Haslam
2022-04-16, 19:39
I've got to sign off for the evening.
If all that was found related to the Farbar Recovery tool then we're in good shape.

Let me know if your ready to remove tools and quarantine folders.

I see that Farbar found 10 files. Trusting in your guidance, I believe that I am ready to remove tools and quarantine folders. Is there a risk in doing so?

I note that we have seen no sign of the ransom ware. Does this surprise you?

Juliet
2022-04-16, 20:09
I see that Farbar found 10 files. Trusting in your guidance, I believe that I am ready to remove tools and quarantine folders. Is there a risk in doing so?

I note that we have seen no sign of the ransom ware. Does this surprise you?
The files we removed with FRST was a tidy up event, they were lose files that added nothing to the machine.
As for having a Ransomeware infection, no signs of it.
And there was no mention of any notes or alerts telling you your computer had been infected and of money to get your files back.

The encrypted files for this specific infection will have the extension '.VXLOCK' appended to the end of the file name and on this machine there were none.

I can't say why, but I think what you saw was a false-positive.

Use this tool to remove quarantined items:

Please download KpRm (https://toolslib.net/downloads/viewdownload/951-kprm) by Kernel-panik and save to your Desktop.

Click on KpRm.exe to run the tool.


Vista/Windows 7/8/10 users right-click and select Run As Administrator (http://windows.microsoft.com/en-US/windows7/How-do-I-run-an-application-once-with-a-full-administrator-access-token).

Put a check mark next to these items:


- Delete tools
- Delete now

Click the "Run" button.

https://github.com/KernelPan1k/KpRm/raw/master/screenshots/automatic.png


When the tool has finished, it will create and open a log report and delete itself.

Chris Haslam
2022-04-17, 02:32
Thank you for your further instructions. Your idea that this is a false positive are potentially comforting!

I am wondering a bit about EEK's new user interface. You wrote, in Post 13, that EEK would take some time to run: it ran rapidly.

I also see in #13 that, with the old UI, I would have needed to check Run Directly. In scan...txt, I see Direct Disk Access: Off. Should I have turned it on in Settings?

Another thought: I do not use Outlook. Is the email application I am using protecting my PC?

Juliet
2022-04-17, 16:09
Thank you for your further instructions. Your idea that this is a false positive are potentially comforting!

I am wondering a bit about EEK's new user interface. You wrote, in Post 13, that EEK would take some time to run: it ran rapidly.

I also see in #13 that, with the old UI, I would have needed to check Run Directly. In scan...txt, I see Direct Disk Access: Off. Should I have turned it on in Settings?

Another thought: I do not use Outlook. Is the email application I am using protecting my PC?
I say potentially false-positive because I and the tools used to scan for infections were not there.

In the past, online scanners took hours to scan a computer because hard drives can be so full and people save tons of items.
The interface of the scanner had changed recently, they don't contact those who help with malware removal, kinda wish they did so I wouldn't look so stupid.
If you feel we should run other scanners to try and find something we can but since you haven't mentioned anything out of the ordinary happening I just don't think it's necessary.

Email servers
It's the person behind the computer who is your best security tool.
I did a few minutes of research on Pegasus Mail (Of which I have never used, not saying good or bad about this email client I just don't know anything about it myself)

Pegasus Mail
is a donationware, proprietary email client
distribution and development of Pegasus Mail had ceased due to inadequate financial support from the sale of the manuals

I personally use the email client that came with the ISP provided here, I do not freely give it out.
I hate, I absolutely hate having to open attachments. I have windows defender scan it before opening and use MalwareBytes to scan.
I get junk mail and out it goes.

Happy Easter.

Chris Haslam
2022-04-18, 00:52
Happy Easter!

I downloaded and ran (as Administrator) KpRm as you suggested. Here's the log:

# Run at 2022-04-17 16:51:06
# KpRm (Kernel-panik) version 2.9.3
# Website https://kernel-panik.me/tool/kprm/
# Run by Chris from C:\Users\Chris\Desktop
# Computer Name: MOLLY
# OS: Windows 7 X86 (7601) Service Pack 1
# Number of passes: 1

- Checked options -

~ Delete Tools
~ Delete Quarantines

- Delete Tools -


## AdwCleaner
[OK] C:\AdwCleaner deleted

## Emisoft Emergency Kit
[R] C:\Users\Chris\Desktop\EmsisoftEmergencyKit.exe deleted
[R] C:\EEK deleted

## ESET Online Scanner
[OK] C:\Users\Chris\AppData\Local\ESET\ESETOnlineScanner deleted
[OK] HKLM\SOFTWARE\ESET\ESET Online Scanner deleted

## FRST
[OK] C:\Users\Chris\Desktop\Addition.txt deleted
[OK] C:\Users\Chris\Desktop\Fixlog.txt deleted
[OK] C:\Users\Chris\Desktop\FRST-OlderVersion deleted
[OK] C:\Users\Chris\Desktop\FRST.exe deleted
[OK] C:\Users\Chris\Desktop\FRST.txt deleted
[OK] C:\FRST deleted

-- KPRM finished in 92.13s --


- Need to Restart -

I restarted.



As has been the case earlier, MalwareBytes window showed, inviting me to update.
I clicked on Install
It offered Browser Guard
I declined the offer because I am running AdBlockPlus in Firefox: the two may conflict
"Installing" showed, then Installation failed. Please restart your system then try running the installer again".
Early in this thread, I had to work around Win 7 not being fully patched.



What, if anything, should I do further?
Should I be running Malwarebytes regularly?


BTW I remember Opening an email in Pegasus back in March. The text was in green, not the normal black. The window blurred for several seconds then the email disappeared from the screen, and was not in any likely Pegasus folder. Perhaps this was Pegasus successfully defeating the ransomware? I think that the rest of the screen stayed in focus.

Here are SS&D's current schedule settings.
13304
13305

Do these look reasonable? I thought I had set Scan to once a week.

Juliet
2022-04-18, 16:21
Happy Easter!

As has been the case earlier, MalwareBytes window showed, inviting me to update.
I clicked on Install
It offered Browser Guard
I declined the offer because I am running AdBlockPlus in Firefox: the two may conflict
"Installing" showed, then Installation failed. Please restart your system then try running the installer again".
Early in this thread, I had to work around Win 7 not being fully patched.



What, if anything, should I do further?
Should I be running Malwarebytes regularly?


BTW I remember Opening an email in Pegasus back in March. The text was in green, not the normal black. The window blurred for several seconds then the email disappeared from the screen, and was not in any likely Pegasus folder. Perhaps this was Pegasus successfully defeating the ransomware? I think that the rest of the screen stayed in focus.

Here are SS&D's current schedule settings.
13304
13305

Do these look reasonable? I thought I had set Scan to once a week.
I don't know what is going on with MalwareBytes, trying to download and install over an older version? You may need to completely uninstall then reinstall.
There is a MalwareBytes support forum that can probably give answers as to why it's not updating or installing, you'll need to register and then create a new topic.
https://forums.malwarebytes.com/forum/41-malwarebytes-for-windows-support-forum/

The email, when it opened, could you read what it said?
Typically with a ransomeware note, it remains on desktop so there is no avoidance that it's hit your machine. And the computer will act very un-normal.
I can't say 100% there is not that sort of infection on here but I can say there is/was no evidence that i found.
I can also say that in todays world there is a lot of criminal/hacking activity happening world wide to the point it's scary.
In case or for safe practices, change all your passwords from a known secure computer.

The attachments you posted would not only me to open. You should scan your computer often and follow safe online practices.


Answers to common security questions - Best Practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/) by quietman7, MVP
How Malware Spreads - How did I get infected? (http://www.bleepingcomputer.com/forums/t/287710/how-malware-spreads-how-did-i-get-infected/) by quietman7, MVP
Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/) by Lawrence Abrams, MVP
How to Prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) by miekiemoes, MVP
How to backup and restore your data using Cobian Backup (http://www.bleepingcomputer.com/tutorials/backup-and-restore-data-with-cobian-backup/) by YourHighness
Slow Computer/browser? It May Not Be Malware (http://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/) by quietman7, MVP

Chris Haslam
2022-04-19, 22:44
About the odd email:

I was not yet fully awake when it arrived in my inbox.
I can add that it had what looked like a PDF button
The email had shown in New email. I clicked on it, then on Open (rather than just seeing it in Preview).
The email disappeared from New email.


There was no ransomware note. I only know about it because a Spybot scan showed it. When I fixed it there, its "cousin" showed in the next scan.

We are very careful about passwords. We never accept offers from Firefox to remember them. We do change them.

Using a small program that I wrote, I back up incrementally at least daily. It:
looks for the archive bit being set,
selects files based on rules in a metadata file,
gives me, at run time, the ability not to back up a file,
backs up to a USB stick that is otherwise offline.


My wife and I share an email address. On her PC, Pegasus is set to receive emails. Mine is set not to check for incoming emails. When an email arrives for me, she moves it to New email on my PC. (I can also move an email from her PC to mine, in Pegasus Mail.)

I also backup using Acronis True Image weekly.

BTW I note, thanks to your guidance, on my PC, Firefox's favicons file has dropped from 34MB to 4MB. On my wife's PC, which also showed the ransomware in a scan, Firefox crashes several times a day, causing her to open links again. Which tool cleaned up Firefox for me?

Juliet
2022-04-20, 00:26
BTW I note, thanks to your guidance, on my PC, Firefox's favicons file has dropped from 34MB to 4MB. On my wife's PC, which also showed the ransomware in a scan, Firefox crashes several times a day, causing her to open links again. Which tool cleaned up Firefox for me?
I can't say for sure which command aided in helping
Below is the list of items to fix by script

It was a tidy up of empty files and a couple of policy restrictions
CreateRestorePoint:
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Hosts:
CMD: netsh int ip reset
CMD: ipconfig /flushDNS
EmptyTemp:

Chris Haslam
2022-04-20, 20:03
In a SS&D scan yesterday, VxLock didn't show, but it shows in a scan done today.

Juliet
2022-04-21, 00:17
Can you copy and paste the file or folder where this is found?

Chris Haslam
2022-04-21, 01:11
How do I do that?

I used FileFinder to look for file names containing VXLOCK everywhere on my PC. The only files it found are in Spybot's Quarantine folder. They are .zip files

The scan log is:
Search results from Spybot - Search & Destroy

2022-04-20 18:00:42
Scan took 00:10:21.
6 items found.

MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Microsoft\Direct3D\MostRecentApplication\Name
Category=Tracks
ThreatLevel=2
Weblink=http://forums.spybot.info/forumdisplay.php?54

Windows: [SBI $1E4E2003] Drivers installation paths (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources
Category=Tracks
ThreatLevel=2
Weblink=http://forums.spybot.info/forumdisplay.php?54

Cookie: [SBI $BCOOKIES] Browser: Cookie (1) (Browser: Cookie, nothing done)

Category=Browser
ThreatLevel=1
Weblink=http://forums.spybot.info/forumdisplay.php?54

Cache: [SBI $BCACHE00] Browser: Cache (54) (Browser: Cache, nothing done)

Category=Browser
ThreatLevel=1
Weblink=http://forums.spybot.info/forumdisplay.php?54

History: [SBI $BHISTORY] Browser: History (9) (Browser: History, nothing done)

Category=Browser
ThreatLevel=1
Weblink=http://forums.spybot.info/forumdisplay.php?54

Generic.Ransom.VxLock.886DC9DE;Generic.Ransom.VxLock.886DC9DE: [SBI $SpybotAV] Executable (File, nothing done)
<System>
Category=Viruses
ThreatLevel=5
Weblink=http://forums.spybot.info/forumdisplay.php?54
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E


--- Spybot - Search & Destroy version: 2.9.82.132 DLL (build: 20211105) ---

...

Juliet
2022-04-21, 02:15
Generic.Ransom.VxLock.886DC9DE;Generic.Ransom.VxLock.886DC9DE: [SBI $SpybotAV] Executable (File, nothing done)
<System>
Category=Viruses
ThreatLevel=5
Weblink=http://forums.spybot.info/forumdisplay.php?54
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Something I pick up on is that it has it listed as a ThreatLevel 5
That's odd to me, if anything I think it should say a ThreatLevel 10 with sirens and whistles going off.

I can't tell if it's picking something up in your browser, temps, or cookies.

I'm going to attempt to contact another advisor and see if she can make heads or tails of this.

Chris Haslam
2022-04-21, 03:13
I can send you one of the zip files in SS&D\Quarantine, if that would be helpful --- and safe. These are spooky times!

Juliet
2022-04-21, 15:51
I have heard back from one of the advisors:


Yes, that does look like a false positive. Send them to post in the false positives forum,
https://forums.spybot.info/showthread.php?19117-How-to-report-possible-False-Positives
Then link to the false positive forum section:
https://forums.spybot.info/forumdisplay.php?16-False-Positives
It would be helpful if you asked him to post a link to his "remove Generic.Ransom.VxLock.E31AD1D6" thread in his false positive post as well, so they can look at the thread if they want any further info.

Chris Haslam
2022-04-21, 17:41
Working on reporting it

Chris Haslam
2022-04-21, 17:44
Do I need to subscribe to the False Positives thread?

Chris Haslam
2022-04-21, 19:11
I found that I was already subscribed: back in 2019

Juliet
2022-04-22, 00:27
I'm not sure how that forum works but would think you would need to subscribe to the topic you create.

Chris Haslam
2022-04-22, 01:32
I have posted to False Positives and linked by thread to our thread.

Chris Haslam
2022-04-22, 20:13
Posted to False Positives:

"A scan last night and again today, after the daily update, did not show VxLock. It appears that the problem is resolved."

Thank you for your help.

I will check my wife's PC to see whether it is also OK.

Juliet
2022-04-23, 15:50
Got my fingers crossed.

Chris Haslam
2022-04-23, 19:59
My wife's PC no longer shows VxLock

favicons.sqlite on her PC is 44 MB ! I found a way, in Mozilla Help, of copying existing bookmarks to a newly installed Firefox. Perhaps this will reduce size of favicons and stop Firefox crashing.

Juliet
2022-04-23, 20:07
Good deal

Use this tool to remove quarantined items:

Please download KpRm (https://toolslib.net/downloads/viewdownload/951-kprm) by Kernel-panik and save to your Desktop.

Click on KpRm.exe to run the tool.


Vista/Windows 7/8/10 users right-click and select Run As Administrator (http://windows.microsoft.com/en-US/windows7/How-do-I-run-an-application-once-with-a-full-administrator-access-token).

Put a check mark next to these items:


- Delete tools
- Delete now

Click the "Run" button.

https://github.com/KernelPan1k/KpRm/raw/master/screenshots/automatic.png

When the tool has finished, it will create and open a log report and delete itself.

Chris Haslam
2022-04-23, 22:54
Done, on my PC

Chris Haslam
2022-04-23, 23:07
I just looked at C:\ProgramData\Spybot - Search & Destroy\Quarantine using PowerDesk.

There are 146 files in this folder, including Generic.Ransom.VxLock.886DC9DE;Generic.Ransom.VxLock.*.zip The other zip files date from 2019.

Chris Haslam
2022-04-23, 23:09
KpRm .txt file
-------------
# Run at 2022-04-23 15:51:47
# KpRm (Kernel-panik) version 2.9.3
# Website https://kernel-panik.me/tool/kprm/
# Run by Chris from C:\Users\Chris\Desktop
# Computer Name: MOLLY
# OS: Windows 7 X86 (7601) Service Pack 1
# Number of passes: 2

- Checked options -

~ Delete Tools
~ Delete Quarantines

- Delete Tools -

[I] No tools found

-- KPRM finished in 1.67s --

Chris Haslam
2022-04-23, 23:15
Files are dated 2022-02-26 thru 2022-04-23 and from 2019-10-07

Chris Haslam
2022-04-24, 00:59
Would it be safe for me to delete all files in C:\ProgramData\Spybot - Search & Destroy\Logs ?

Or just Check*.txt files?

Juliet
2022-04-24, 15:35
If their in a quarantine folder those files aren't going anywhere but, I'm unsure which exactly can be deleted without it effecting the program in some way.

Juliet
2022-04-26, 00:14
This might help


false positive in 2019, Gen.Variant.Graftor:
https://forums.spybot.info/showthrea...ht=#post482945
That was a false positive from dropbox. Though for there to be 146 files in quarantine, some could just be old .zip files quarantined from usage tracks, if he scans for those, or various other little things.

Juliet
2022-05-11, 14:27
Glad we could help. http://i.imgur.com/SakDYGv.gif
Since this issue appears resolved ... this Topic is closed.